How to prevent html/JavaScript code modification_问答_开发者

I would like to know if there is a way to prevent an html page with jQuery or javascript to be modified by the user to change its behavior.

A user can modify it using tools such as FireBug or the Google Chrome developer bar to hide or show divs, add event listeners to page elements and so on.

I've seen some web pages showing a blocking div w开发者_如何学编程hen the page is loaded and a pop-up telling to answer some question. If you answer it, the div hides and you can see the page normally. But if you try to hide the blocking div using FireBug, the page reloads and there is no way to see the page correctly if you don't ansewer the question asked in the pop-up.

I want to know how could I prevent user from doing such things.

Thanks a lot.

It is not possible (which is a very good thing).

To defeat the method described in the question:

You can use the keyboard shortcuts to the console/tools (Ctrl+Shift+I in Chrome)
You can use the resource/net panel to see the source
You can see it at any other level, e.g. Fiddler
You can use a bookmarklet for easier access

No, you can't prevent people seeing or modifying your source/script if they want to...the ones you most want to prevent are the most able to circumvent any deterrent (and that's all anything you do is, a deterrent, not a stop) you put in place.

The only way to do it (in my opinion) is not have the page content load until the user does your desired action. After he answers the question (or whatever) you send an AJAX request for the content (of course, as thejh said, you should also validate the answer on the server, preferably in the same request). So you load page header, banners and anything not critical, but the actual content (say an article on a blog) should not be loaded until the user does your action.

Everything that a user's browser receives belongs to the user, so you can't enforce anything on that.

For sure you can't prevent anybody from doing what he wants to, but you can make changes more difficult.

Take a look at the DOMEvents, especially the Mutation-Events. Those give you the ability to see when something has changes(attributes, removed/inserted nodes, data in textnodes ...). For example you could build a function that watches some special attributes you would'nt have to get changed and reload the page, if this happens.

As others have already said, it isn't possible to control what the end user does with data you've sent them.

It may be possible to detect the console object that Firebug and others use, but what can your site do with that information once you've got it? You can't disable firebug or prevent it from being used, or even know whether it has been used.

The bottom line is that once the web page and javscript code have been sent to the browser, it is out of your control.

The closest you can get to what you want is to move some of your code out of Javascript and to the server, where it will be untouchable by the user. However you'll still have to have some client-side code, which will still be at the mercy of malicious users.

The other alternative is to move to Flash or something similar, where the end user doesn't have direct access to the code or the object model. This has it's own downsides though, and you'd be bucking the trend, which is to move away from Flash toward HTML5 and Javascript.

It's impossible. When you send code to the client, the client can look at it and modify it. Only code that runs on your server is protected aganist that.

I don't think it's possible to do that unless you can make sure (or force) users to use browsers that don't have developer tool.

Use ajax to get remote information don't send the user all the information such as answers to polls etc get the answer after he picked a choice from the server using ajax for example. Client-side validation is never a good thing hell thats how I used to delete other stupid people's databases due to that unless people learn properly how things REALLY work they should get taught the hard way such as losing everything in a case of root access vulnerability.

I don't know why HTML has to be blocked it wasn't blocked since browsers came out he'll I could make my own browser with a socket and get HTML transfered right to some textbox and see it in my favorite notepad/editor etc..

As for javascript you can simply send javascript commands in browser address bar (how convenient of browsers in supporting hackers hehe but it's also used for inter-op communication with other technologies such as flash so it has a evil/good side to it as everything.)

If you didn't know you can just do

javascript: alert('hi');

or if your javascript game or whatever has globally scoped variables you can modify em easily

javascript: score=9999;damage=99999;

etc etc like i said it's all good it weeds out the bad programmers and gets em fired or teaches em a lesson in the future.

I've seen many big sites still fall to a SIMPLE XSS attack (Cross-site scripting) which is just baffling how these programmers get a job, I'd do a better interview or some shit it's ridiculous