Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it possible for a visitor to a page to run an arbitrary function specified in the javascript for that page from their browser?
For a simple example, if the page has a function to hide a particular element when a button is clicked, can a visitor trigger that function and hide the element without clicking the button, but by calling the function directly somehow?
Yes, the user has full control of the DOM. However, it is possible to reduce what can be accessed by using closures. For instance, if I have:
Then there is no way for the user to get at or change the string. Similarly for functions, unless you make them global variables (or attach them to the
windowobject). Any property attached to the DOM is accessible too, such as theonclickattribute of elements. However if you use theaddEventListenermethod then I don’t think there’s any way to find it.Overall, the browser can’t be trusted.