I've been thinking, how is the onClick tag secure (as well as other tags)? I mean, Anyone can put whatever javascript they want to execute when they trigger the onClick, what prevents someone from injecting malicious code?
I've been thinking, how is the onClick tag secure (as well as other tags)? I mean, Anyone can put whatever javascript they want to execute when they trigger the onClick, what prevents someone from injecting malicious code?
Share Improve this question asked Nov 19, 2014 at 0:28 VictorVictor 9412 gold badges18 silver badges43 bronze badges 2- 1 what prevents someone from just running any js they want in the console? that's why you don't rely on client side security alone. – Kai Qing Commented Nov 19, 2014 at 0:29
- so you would have to enforce security by yourself? or the system es with defenses against the injections – Victor Commented Nov 19, 2014 at 0:30
4 Answers
Reset to default 3The browser client is inherently insecure. It is a pletely insecure execution environment and you cannot really secure it in any way.
The way to think about this is that you do NOT control what happens in the browser. All sorts of code can be injected, modified or run in any browser (via bookmarklets, console, direct DOM manipulation including adding arbitrary onclick handlers, proxy modification, debugging tools, etc...). So, your client is inherently insecure. Once you accept that the browser is fundamentally insecure, it's easier to understand what you need to do on your server.
That's why YOU have to validate and sanitize any results that arrive at your server from a client. You must do this on the server in order to prevent bad data from getting into your server. You must not trust that any data being sent to you is correct or valid. Instead, you must validate it pletely on the server before using it.
You can almost think of it like any form submission or Ajax call or a URL with query arguments or a structured URL that your server accepts is an API call to your server and you have no idea who is using that API and whether they are using it correctly or not. Thus, you must assume nothing about the validity of the data or request as it arrives until you've checked it yourself on the server to see if everything is valid.
FYI, there are various techniques such as "data or function hiding in closures", code obscuration, etc... that make it more difficult for someone to mess with certain parts of your Javascript. But, it is important to understand that these are only temporary roadblocks to the determined or skilled hacker and do not offer actual security and should not be relied upon for security. The skilled hacker can literally replace your entire Javascript with their own modified version which pretty much means there's nothing you can do in your client-side Javascript to protect it.
Absolutely nothing prevents a client from running malicious javascript or using other developer tools. (e.g., adding form elements)
That's why it's up to you to keep your server-side scripts secure. (Sanitizing user input, etc.)
The problem is not usually whether or not a single user can run any JS in their own browser on their own puter.
The problem is when you are allowed to save that script to the database without sanitising it first and it then gets rendered on the page for everyone else to see and execute. Then, suddenly, they can execute code on other people's machines, steal their details, etc.
In other words, if you allow users to specify HTML markup in their ments, for example, and you don't search that markup for <script> tags, onclick attributes, etc and remove them before you save it to the database, then you have a potential problem. It bees an actual problem when you fetch that saved markup from the DB and display it on the page somewhere without removing any JS-related functionality.
There is no protection. From the developer console/inspect element, you can modify the code in the tag. However, only you can see the modifications that you make in the inspect element, they aren't saved permanently. So other users who visit the site cannot see the code you entered inside of the developer console.
What prevents the people who make the page from putting malicious code into the onclick? Well, it's impossible to have truly dangerous code in javascript, the worst a website can do to a puter is crash the browser. So javascript is pretty safe.