[thelist] Stopping a user submitting a form from the address bar using JS.

Lachlan Cannon luminosity at members.evolt.org
Fri Dec 13 07:50:04 CST 2002

Craig wrote:
> Hi
> I've got a form on a page that uses JavaScript to validate the input.  This
> form is submitted with a button calling a JS function:
> <input type="button" value="Submit"
> onClick="check(form,form.elements.length);">
> The button is not a 'submit' button because after the script has validated the
> input, the script itself submits the form.  However, if I open up this page in
> a browser (IE6) and type 'javascript:document.forms[0].submit()' (without the
> '), it will bypass the validation and submit the form.  How can I stop this?

I'm not sure how you can get around it, but I urge you to reconsider
your tact. You should always provide an alternative method that works
for people who have JavaScript disabled. Besides, you should be doing
server side checking anyway, if not you have a huge security risk on
your hand. If you do it doesn't matter if people circumvent your
checking, because they'll merely lose the convenience, but run up
against the server side stuff which will correct them anyway.
Web: http://illuminosity.net/
E-mail: lach @ illuminosity.net
MSN: luminosity @ members.evolt.org

More information about the thelist mailing list