方法,使Java脚本code黑客/注塑/操作难吗? [英] Ways to make Javascript code hacking / injection / manipulation difficult?
问题描述
有什么方法可以prevent,或使其非常困难,有人注入Javascript和操纵变量或访问功能?一想到我是随意更改每个重载的所有变种的名称,以便在恶意脚本将每次都要被改写?还是有其他的痛苦小的方法呢?
Are there ways to prevent, or make it difficult enough, for someone to inject Javascript and manipulate the variables or access functions? A thought I had is to change all var names randomly on each reload so the malware script would need to be rewritten every time? Or are there other less painful ways?
据我了解,最后总会有人砍他的方式,但我想知道如何使它难以再现的动作,让人们不会公布一个书签或类似供大家使用的东西。我不在乎,如果专家发现自己在code的方式,但我想它比 JavaScript的要复杂一点:D = 0;
I understand that eventually someone will hack his way in, but I'd like to know ways to make it difficult to reproduce the action, so that people won't publish a bookmarklet or something similar for everyone to use. I don't care if experts find their way in the code, but I'd like it to be a bit more complex than javascript:d=0;
如果你知道如何做黑客的Javascript有点困难,请写那些。
If you know ways to make hacking Javascript a bit more difficult, please write those.
推荐答案
您可以写你的JS只使用私有方法和变量自动执行的功能。例如,下面的code叶子在全局命名空间没有迹象本身对任何人与猴子。
You can write your JS to use only private methods and variables in a self-executing function. For example, the following code leaves no sign of itself in the global namespace for anyone to monkey with.
(function(){
var x = 1;
var y = 2;
var z = "A am z";
var clickHandler = function() {
alert('You clicked the body');
};
document.getElementsByTagName('body')[0].addEventListener('click',clickHandler,true);
}());
以上code是容易受到用户覆盖任何全局可用的对象,方法,使用的是(在这种情况下,事件或属性,文件
,的getElementsByTagName
和的addEventListener
),所以如果你是真正的偏执狂,你可以在页面加载之前这些文件复制到功能范围和用户有一个机会来覆盖它们。使用的addEventListener
是一个好主意,因为不像事件 body.onclick
,它不能被删除或之外的功能覆盖。
The above code is susceptible to a user overwriting any globally available objects, methods, events or properties you are using (in this case, document
, getElementsByTagName
and addEventListener
), so if you are truly paranoid you can copy these to your function scope before the page has loaded and the user has a chance to overwrite them. Using addEventListener
is a good idea because unlike the event body.onclick
, it cannot be removed or overwritten from outside the function.
这篇关于方法,使Java脚本code黑客/注塑/操作难吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!