[Javascript] action="insert"
Nick Fitzsimons
nick at nickfitz.co.uk
Fri Feb 10 12:20:44 CST 2006
Steve Clay wrote:
> Friday, February 10, 2006, 11:34:18 AM, Matt Warden wrote:
>
>>been validated. This is a poor assumption. There are (a) malicious users
>>that would realize this and turn off JavaScript, and (b) white hat users
>>who don't have JavaScript turned on in the first place (probably more
>
>
> Just FYI, there's at least one FF extension I've seen that allows you to
> leave JS on and hand-edit any POST vars before they're sent to the server.
>
> Steve
Not forgetting the old trick of typing script into the location bar.
Take the case where one validates the form using an onsubmit handler
which returns false to prevent submission if some data are invalid. Just
type this into the location bar:
javascript:void(document.forms[0].onsubmit = function(){return true;})
and you can submit without any checks.
You can use similar techniques to change values in the form after the
validation code has run and then submit these invalid values; this is
left as an exercise for the more malevolent reader :-)
Nick.
--
Nick Fitzsimons
http://www.nickfitz.co.uk/
More information about the Javascript
mailing list