I’m developing a little jQuery selector game. Essentially, you’re given some HTML code, and you have to write the jQuery selector to select the highlighted item.
For example, say you have:
<body>
<p id="winner">Select this paragraph</p>
<p> But not this one </p>
</body>
And one of the correct selectors would be $(‘#winner’)
I currently plan on grabbing the string within the “$(‘ … ‘) ” (where the …’s are) and doing something like this:
var userInput = ...
var userSelectedItems = new Array();
userSelectedItems = $(userInput)
// Check if userSelectedItems == the array of elements supposed to be selected
// Change screen to green and allow users to press enter and continue to next challenge.
Now, I know that if you allow users to directly enter some PHP or something, all sorts of bad things can happen, but is there anything with essentially allowing users to enter/execute this kind of javascript command? If so, how do you propose I get around this situation. I’d really enjoy making this educational game, so any help is greatly appreciated. I can’t really see any way it could be dangerous because it’s all run on the client’s computer right..? I don’t know though, maybe I’m missing something
Thanks
Anything on the client-side is always susceptible to changes done by the end-user.
However, if you aren’t saving anything information to a database and there aren’t any competitive conditions with regards to this game, I would not worry about any security issues that may arise. You can always sanitize client input within your own Javascript to ensure that non-technical users may not change game states during the process.