It seems to be simple to find but when I searched for this I only found how to enable or disable Javascript on your browser. There are many websites which make it compulsory for Javascript to be enabled and I want to know how. Is there any setting? I want this facility on a website developed using PHP.
This question explains some great solutions for checking whether or not JavaScript is enabled.
You can take those answers and try to implement them. You can do what Marc Gear said
There isn't a good way to perform server-side JavaScript detection. Instead, use JavaScript to set a cookie, and then test for that cookie using server-side scripting upon subsequent page views; deliver content appropriately.
However on the first visit there would be no good way to test for Javascript, so you could use the <noscript> tag to possibly display some alternate text like "Pleas enable JavaScript then reload," though that solution doesn't really let you control whether or not java script is enabled.
In the end, there is no way for you, the server, to enable JavaScript. It is a client-side seting that the user has complete control over. You can only check to see if it is enabled, and if it's not, then encourage the user to enable it.
Related
Most of the pages of my website are called using Ajax. If someone disable javascript in his browser them Ajax functionality will not work. So is there any way of enabling javascript in browser using server-side code.(Or Any language like C#)?
No, there is no way to do that.
No. That would not be possible under normal conditions. If something like that gets invented, it would be a big security and privacy issue. Think of the TOR network. what will be the privacy left if JavaScript is enabled by the server ?
only thing you can do is detect if its enabled.
If someone choose to disable javascript, it is usually for security reasons. So you won't be able to enable it. (and that's a good thing)
But your question is a bit weird : "browser using server-side code" => browser use html code generated by server-side code. The browser can't see the server-side code.
What you can do is to display a message like "You must enable javascript to navigate on this website" (big red letters =) ) and you hide it on page load using javascript.
document.onload = function(){
// correct it if i'm wrong, i'm used to jQuery
document.getElementById('javascriptAlert').style.display = 'none';
// or jQuery :
$("#javascriptAlert").hide();
}
EDIT :
I forgot : the noscript tag can be use to ask the user to enable javascript.
I am trying to work out if I can alter the functionality of a website preferably through vba (access) or any other way that I can centrally manage. What I am trying to achieve is, depending on permissions, I would like users to log onto a website and the website is then changed on the fly to stop the user using normal functions of the website. For example some users have access to a submit button while others do not.
I have seen that you can use VBA to parse websites and auto logon. I'm just not sure if its capable of doing any local scripting like greasemonkey does.
Maybe I am looking at this wrong and can achieve this at the firewall level instead of running website scripts.
Any ideas?
You should not manage website permissions using a client-side technology like JavaScript. Users can easily either just disable JavaScript/VBScript or tamper with the page.
The best approach is to manage permissions by emitting the HTML from a server-side scripting language such as ASP.Net or PHP.
ASP.Net has built-in, generally adequate support for membership, roles and permissions that would meet this need.
http://msdn.microsoft.com/en-us/library/yh26yfzy(v=vs.100).aspx
If that is not an option for whatever reason, and you can accept the risk of someone tampering with the permissions you setup, you can certainly use something like jQuery to hide portions of an HTML document that a user should have no access to. You can accomplish the same thing using JavaScript without jQuery, but I would suggest jQuery because it abstracts away many of the cross-browser issues.
If you do that, hide everything by default and then show selectively based on permissions. That way, the simplest method of just disabling JavaScript will not reveal anything special (though it is still quite easy to hack).
We have WCAG standard means site should run without javascript.
http://www.w3.org/TR/WCAG/
Is it possible to check WCAG is enabled or not in PHP?
When javascript is disabled :- I have set some php session variables
When javascript is enabled :- I want to reset those php session variables
How can i do that?
WCAG is a set of guidelines, not simply an on/off switch. It highlights best practices to ensure that your site is accessible to people with disabilities can use it. At a high level view, the JavaScript requirement is in the standard because back in the day, not many assitive technology devices or programs could interact with JS. So, the user would experience the site if JavaScript was disabled. This is why it is important to have good <noscript> tags for scripted elements versus having rude comments.
Today popular assistive technology can interact with JavaScript fairly well. It all comes down to what you are doing with JavaScript and how you script the actions.
W3C has provided 37 techniques to use for client-side scripting. WebAIM's JavaScript Accessibility article has a lot of information in it.
If you ask about whether or not it's possible to detect on the server-side if Javascript is enabled, then the answer is: technically no.
As the server process is not within the browser process, there is not way for the server to inspect if a feature or setting in the browser is enabled / exists.
You can however try to mimic that. E.g. scripts are not going to be loaded from the server-side if javascript is disabled (normally). Also you can insert javascript that will do specifically crafted requests to your server so that you know something is disabled.
<noscript><img src="http://example.com/session-trigger-js-disabled.php?.gif" width="0" height="0"></noscript>
<script src="http://example.com/session-trigger-js-enabled.php?.js"></script>
Note: $_SESSION in PHP can be blocking. The <script src="url"> tag is also blocking, so take care that you're not creating "deadlocks" that will decrease the user-experience with your website.
A more lightweight approach might be to set a cookie and change it if javascript is enabled. Cookies can be read out by PHP, their nature is not blocking and you don't need to waste session for that.
Question: What precautions should I take when I let clients add custom JS scripts to their pages?
IF you want more details:
I am working on a custom CMS like project for a company, The CMS has number of "groups" that each subscriber "owns" where they do their own thing.
The new requirements is that some groups want to add google analytics to see how they are doing. So I naturally added a column in the table and made code adjustements so if there is some data in that column, I just use the following line in master page to set the script out:
ScriptManager.RegisterClientScriptBlock(Page, typeof(Page), "CustomJs", CustomJs, true);
It works just fine, only, It got me thinking...
It's really easy for someone with good knowledge of how to access cookies etc from from js. Sure, each group is moderated and only super admin can add this javascript, sure, they wouldn't be silly enough to hack their own group. Each group has their own code so its not possible to hack other groups BUT STILL
I am not really comfortable in letting user's add their own javascript codes.
I could monitor each group myself, but the groups are growing really quick and I will hit a time when I will no longer be able to do that.
So, to brief it up: What precautions should I take to avoid any mishaps ?
ps: did try to google, no convincing answers anywhere.
Instead of allowing the users to add their own Javascript files, and given that the only requirement here is for google analytics, why not just let them put their analytics ID into the CMS and if it's present, output the relevant Google Analytics code?
This way you fulfill the users requirement and also avoid the need to protect against malicious scripting.
Letting users use Javascript is in general, a very bad idea. Don't do it unless you have to.
I once I had a problem where I need to let clients use Javascript, but, the clients weren't necessarily trusted, so, I modified cofeescript so that only a small subset was compilable to javascript, and it worked pretty well. This may be waaaay too overkill for you.
You should not let your users access cookies, that's always a pain. Also, no localStorage or webSQL if you're one of the HTML5 people, and, no document.write() because that's another form of eval as JSLint tells you.
And, the problem with letting people have javascript is that even if you believe you have trusted users, someone may get a password, and you don't want that person to get access to all the other accounts in the group.
Automatically recognizing whether some JavaScript code is malicious or sandboxing it is close to impossible. If you don't want to allow hacking your site you are left with only few options:
Don't allow users to add JavaScript at all.
Only allow predefined JavaScript code, e.g. for Google Analytics.
Have all custom JavaScript inspected by a human before it is allowed to display on the site. Never trust scripts loaded from third party sites - these can change from one day to another and turn malicious.
If you have no other choice, you may consider separating path/domain of user javascripts (and cookies).
For example your user have page:
user1.server.com
and you keep user pages at
user1.server.com
So, if you set session cookies to the user1.server.com, it'll render them unobtainable for user scripts from other domains (e.g. user2.server.com).
Another option may be executing all user's javascript at server JS engine (thus controlling all it's I/O and limiting access to browser resources).
There is no simple and easy solution anyway, so better consider using options from other answers (e.g. predifined script API, human inspection).
This question already has answers here:
Closed 13 years ago.
Duplicate:
Do web sites really need to cater for browsers that don’t have Javascript enabled?
Only supporting users who have Javascript enabled.
How common is it for Javascript to be disabled
How many people disable Javascript?
I've been doing web applications on and off for a few years now and each application I write seems to have more javascript than the previous one.
A frequent comment is: "But what if the user turns off Javascript?".
I take the point, but I've never actually seen a user do this. Not once.
Have you?
This comes up about every other week or so. Did you search first?
See these:
https://stackoverflow.com/questions/121108/how-many-people-disable-javascript
https://stackoverflow.com/questions/379735/how-common-is-it-for-javascript-to-be-disabled
Only supporting users who have Javascript enabled
Do web sites really need to cater for browsers that don't have Javascript enabled?
The main points are:
Google doesn't use javascript when indexing
Mobile browsers (smart phones like the iPhone) sometimes have bad or non-existent javascript
Screen readers don't do javascript well, if at all, and many developers are legally required to support them.
Thanks to filters like NoScript, the number of people browsing with javascript disabled (at least initially) may actually be going up.
So yes, you still need to worry about it.
It depends entirely on what sort of coverage you require.
Do you need 80% 90% 100% of users to be able to use your site / application?
People DO turn off Javascript. The question is, does your site need to work for those people? Can it just tell them to turn it on if they want to continue?
Yes, it happens.
NoScript is a Firefox add-on - downloaded by plenty of people.
No Script
You should always make sure your site works without javascript.
People turn javascript off for security reasons. Companys sometimes have javascript forced off at their inhouse computers. Also spiders don't have javascript so your site not working without javascript is bad SEO practice.
5% of users have JavaScript turned off.
It has become a standard at my office (for better or for worse) to assume that the user has JS installed and turned on. The number of people who have it turned off is getting smaller and smaller every day, but this still doesn't mean that you should forgo performing the necessary validation for submission on the server side as well just in case (as well as some other scenarios).
I would say that it is not safe to assume javascript is always on, but it is safe to REQUIRE javascript be turned on.
In other words, you don't need to jump through hoops to make something work without it, just display a message or redirect.
Javascript is an essential technology, and it's not unreasonable to require it.
It's rare, but it's possible. If you are launching an application for "everyone" to use on the internet, then yes, you'll have to prepare for such an event. It really depends on your target audience, but the safest assumption is that someone will have it turned off.
From a security perspective, you definitely need to handle this situation, as turning off JavaScript (or worse yet hijacking the scripts you wrote) is an easy to bypass business logic and validation, if it isn't double checked on the server. Requiring it to be turned on is not a good enough defense for stopping people in this situation. Remember you're requesting that the browser tells you what it enabled and disabled. The user (or attacker in this case) is in control of the browser, and you can't trust what it says as it's easy to modify the HTTP headers.
Depends on who your target audience is. Some users turn off JS for various reasons. Usually, they will enable it for individual sites that need it, but they might not do that if you don't tell them they need it.
If your site just fails to load correctly, they'll assume it's broken. If it shows a "you need JS to view this page" message, then at least they'll know what to do.
Some will then enable Javascript for your site specifically, but some won't, and they simply won't be able to use your site, unless it is functional without Javascript.
It's rare, but it happens. It really depends on who your user base is. If it's for corporate users, a lot of them have default security settings with javascript disabled. If it's for... pretty much anyone else, odds are they'll have it turned on.
I run by default with javascript off for new sites (NoScript) plugin. I think many tech-savvy users do the same. At least the ones who are paranoid about XSS attacks.
It is best practice to code for users that have JavaScript turned off.
As web developer your goal should be to provide the core basic functionality (without JavaScript). This enables all users to fully use your site. Then through the use of JavaScript, in a process known as "progressive enhancement", spruce up elements of the site for users that have JavaScript turned on.
And in the case where JavaScript is off...your site should gracefully degrade.
Web development is one of those arenas where you can't expect anything. Code for all users to maximise your site's accessibility.