0

People will be able to see the javascript confirm link in the status bar of the browse. So, is that code below secure enough and how to hide the javascript to DONT show this: javascript:a = confirm('Are you sure you want to purchase this reward?'); if (a) { location.href='./?page=vote&act=rewards&id=8'} else void(0)

Script:

if ($_SESSION['nVotePoints'] >= $data['nCost']) {
            $url = './?page=vote&act=rewards&id=' . $data['id'];
            $confirm = "javascript:a = confirm('Are you sure you want to use purchase this reward?'); if (a) { location.href='{$url}'} else void(0)";
          $data['URL'] = $confirm;
        }
        else
          $data['URL'] = 'javascript: alert(\'' . stripslashes(Template::GetLangVar('VOTE_NEED_VP')) . '\');';

$column[$i++] = Template::Load('vote-reward-column', $data);

Kind Regards.

Improve this question
11
  • 3
    You can obfuscate it and make it look weird and unreadable with a glance but you cannot completely hide a client side script i.e. JS from the client Commented Jun 16, 2013 at 14:46
  • 1
    Go ahead and screw it up, that will be best learning exercise when you know it screwed up and you have to fix it. Try it Commented Jun 16, 2013 at 14:53
  • 1
    You're using the HTTP GET method to change state of the server (="purchasing reward") and that is a bad practice. State-changing actions should always be called via POST, PUT or DELETE. GET actions can be easily called by bots, crawlers, they are stored in browser history etc. Commented Jun 16, 2013 at 15:03
  • 1
    In that case it's still vulnerable with CSRF. Commented Jun 16, 2013 at 15:19
  • 1
    Exposing the javascript does not seem to be a problem. What do you think is insecure with exposing it? What could the user exploit? I think the end point, the script the user will arrive at when clicking the link will do the deduction from an account. In that case all they can "exploit" is pay for something on a guessed link if they manipulate the url. Which will cost them. So, I don't really see the insecurity of this? Commented Jun 16, 2013 at 19:32

1 Answer 1

Reset to default
2

Keep in mind that even if you could hide the JavaScript, this would not be a secure system. Someone can fire up WireShark, IE's F12 Developer Tools, Firefox' Firebug, or Chrome's Developer Tools and see exactly which page things go to, or debug any call that touches DOM, even if your code is complete gibberish.

If you want to secure things like this you can't trust the client, you need to do it on the server. Otherwise someone can write their own code that calls your service, runs no JavaScript at all, and completely bypasses your validation logic.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.