如何避免篡改 javascript/HTML 元素 [英] How to avoid tampering of javascript / HTML elements
问题描述
在我的 fiddle 我有一个例子,它应该只允许用户通过转动点击提交根据一些计算的 javascript,提交按钮元素被禁用为 false.
功能使能(TVD) {如果 (TVD[TVD.length - 1] >= trueTVD - 5 && TVD[TVD.length - 1] <= trueTVD + 5) {//console.log(TVD[TVD.length - 1]);$('#submitButton').prop("disabled", false);} 别的 {$('#submitButton').prop("disabled", true);}}发生的事情是我发现一些用户可能通过使用开发工具之类的东西设法绕过了这一点.
我想这样设计,这样我的安全就不能被绕过.如何实现此目标或从开发工具中隐藏 javascript?
最好的方法是在服务器上验证.永远不要相信来自客户的任何东西.它可能会被篡改.
永远不可能完全停止加载开发工具,但是您可以通过禁用 F12 按钮和上下文菜单来使其变得困难,但这是您不想走的路.
使用缩小的代码,因此使用开发工具或其他嗅探器更难阅读和理解以及篡改.
<块引用>
总结:使用缩小(混淆)代码并结合客户端和服务器上的健全性检查(最好在数据库上).
in my fiddle I have an example that should only allow a user to click submit by turning the submit button element disabled to false based on some calculated javascript.
function enable(TVD) {
if (TVD[TVD.length - 1] >= trueTVD - 5 && TVD[TVD.length - 1] <= trueTVD + 5) {
//console.log(TVD[TVD.length - 1]);
$('#submitButton').prop("disabled", false);
} else {
$('#submitButton').prop("disabled", true);
}
}
What has happened is that I have found that some users have managed to bypass this presumably by using something like dev tools.
I would like to design this such that my security cant be bypassed. How do I accomplish this goal or hide the javascript from dev tools?
The best way is validate on the server. Never trust anything that comes from a client. It could be tampered with.
It's never completely possible to stop dev-tools from being loaded, however you can make it difficult by disabling the F12-button and contextmenus, but that's a road you don't want to walk on.
Use code that is minified, so it becomes much harder to read and comprehend and to tamper with using dev-tools or other sniffers.
summerized: use minified (obfuscated) code in combination with sanity checks on the client and on the server (preferable on the database too).
这篇关于如何避免篡改 javascript/HTML 元素的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
