Forums | MacLife
You are not logged in.
#1 2008-03-18 9:31 am
preventing form abuse using a javascript
while messing around with Google Ananlytics it occurred to me that you might be able to hide a <form></form> from malicious spiders/crawlers by putting the entire <form></form> inside a javascript ....
like document.write('<form>form fields here</form');
and then calling that from a script tag
it works (prints the form and all the input fields, allows user to submit the form) but i'm wondering how effective that would be against people out to abuse a form processing script? i'm also pretty sure this isn't 508 compliant.
just a thought. interested to see what anyone has to say about this.
"The Fates lead he who will; he who won't, they drag." - Seneca
Offline
#2 2008-03-18 4:25 pm
Re: preventing form abuse using a javascript
Code:
document.getElementsByTagName('form')In that, even with a script tag, the form element shows up in the DOM. Also, <form> still shows up in your source code. Or you write a simple JavaScript parser. Bottom line: JavaScript really won't fool anyone who really cares about getting into your smurf.
Basseq is me, John Whittet.
(Finishing the remainder of the thought expressed in the post has been left as an exercise for the reader.)
Offline
#3 2008-03-19 12:55 pm
Re: preventing form abuse using a javascript
no form tags are printed in the source ( view source ) .... just ...
<script type="text/javascript" src="form_print.js"></script>
i have to look at the page using FireBug to view details of the .js before i can see the address and name of the script processing the form
i know this doesn't make a form unhackable but my intention here was to hide it from spiders and bots. i'm also fairly certain this creates an accessibility issue for the page.
"The Fates lead he who will; he who won't, they drag." - Seneca
Offline
#4 2008-03-19 2:31 pm
Re: preventing form abuse using a javascript
b_dubb wrote:
<script type="text/javascript" src="form_print.js"></script>
Well that does abstract things a little more.
b_dubb wrote:
i'm also fairly certain this creates an accessibility issue for the page.
True. And, again, the bottom line:
Me wrote:
JavaScript really won't fool anyone who really cares about getting into your smurf.
Basseq is me, John Whittet.
(Finishing the remainder of the thought expressed in the post has been left as an exercise for the reader.)
Offline
#5 2008-03-19 4:15 pm
Re: preventing form abuse using a javascript
I've had a variation of this on my forms for a while now and it works very well.
Instead of writing the entire form, though, I just write a single hidden element that needs to be present to process the data on the back end. Without the hidden element the mail script will not run.
This was to combat comment spam on a blog. Since putting it in I've gotten no spam on the blog comments and in monitoring the logs for the script it has made no false positives.
So, just when did this place get Private Messages? YIKES!
Gippy Pages | Fuzzy Coconut XHTML Widget | PuppyCam
Offline
