I am trying to work out if I can alter the functionality of a website preferably through vba (access) or any other way that I can centrally manage. What I am trying to achieve is, depending on permissions, I would like users to log onto a website and the website is then changed on the fly to stop the user using normal functions of the website. For example some users have access to a submit button while others do not.
I have seen that you can use VBA to parse websites and auto logon. I'm just not sure if its capable of doing any local scripting like greasemonkey does.
Maybe I am looking at this wrong and can achieve this at the firewall level instead of running website scripts.
Any ideas?
You should not manage website permissions using a client-side technology like JavaScript. Users can easily either just disable JavaScript/VBScript or tamper with the page.
The best approach is to manage permissions by emitting the HTML from a server-side scripting language such as ASP.Net or PHP.
ASP.Net has built-in, generally adequate support for membership, roles and permissions that would meet this need.
http://msdn.microsoft.com/en-us/library/yh26yfzy(v=vs.100).aspx
If that is not an option for whatever reason, and you can accept the risk of someone tampering with the permissions you setup, you can certainly use something like jQuery to hide portions of an HTML document that a user should have no access to. You can accomplish the same thing using JavaScript without jQuery, but I would suggest jQuery because it abstracts away many of the cross-browser issues.
If you do that, hide everything by default and then show selectively based on permissions. That way, the simplest method of just disabling JavaScript will not reveal anything special (though it is still quite easy to hack).
Related
It seems to be simple to find but when I searched for this I only found how to enable or disable Javascript on your browser. There are many websites which make it compulsory for Javascript to be enabled and I want to know how. Is there any setting? I want this facility on a website developed using PHP.
This question explains some great solutions for checking whether or not JavaScript is enabled.
You can take those answers and try to implement them. You can do what Marc Gear said
There isn't a good way to perform server-side JavaScript detection. Instead, use JavaScript to set a cookie, and then test for that cookie using server-side scripting upon subsequent page views; deliver content appropriately.
However on the first visit there would be no good way to test for Javascript, so you could use the <noscript> tag to possibly display some alternate text like "Pleas enable JavaScript then reload," though that solution doesn't really let you control whether or not java script is enabled.
In the end, there is no way for you, the server, to enable JavaScript. It is a client-side seting that the user has complete control over. You can only check to see if it is enabled, and if it's not, then encourage the user to enable it.
I have implemented a requirement in my website where I can allow my end user to configure a link, to execute any javascript that he may require. Since, he can type in any javascript that he requires he also has the ability to open different web pages, create new pages via javascript, edit elements in the page via javascript and so on.
I have some security concerns over this functionality and would like to get some opinion from everyone. Is it possible that any malicious or unethical script could be added to the page that could bring about law and order problem or credibility issues? If so, is it possible to place in some code that would restrict the type of javascript that my user may add?
There's a thing called ADsafe which was developed for banner ads that is a strict subset of Javascript which is meant to prevent malicious code. I don't think you'd be able to do things like
open different web pages, create new pages via javascript, edit elements in the page via javascript and so on
though. I think you should re-think your needs, and try to determine if you can come up with a way to offer the ability for a user to choose from pre-determined code that you write, perhaps customizing it within certain bounds.
Then again, if you're absolutely sure that the javascript is only going to run for the user who entered it, there shouldn't be anything they can do that will screw it up for anyone else. If a user was determined he or she could simply inject their javascript in through other means, like a rewriting proxy or extension or simply the javascript console.
I wanted to ask if there is any alternative to JavaScript/AJAX.
My goal is to have functionality of dynamic content without reloading the page. My problem with JavaScript/Flash or any other plug-ins is that user can disable those.
I already did some research and found Google Dart but this is implemented through JavaScript so it doesn't help.
TL;DR - I want an alternative to JavaScript/AJAX, which cant be disabled so that every user will see the same web page without having disadvantages through disabling plug-ins.
There is nothing like what you're describing that a user cannot disable. Nor should there be. Users should be the ultimate arbiters of what runs on their machines.
JavaScript and Ajax is your most broadly-supported solution. Yes, users can disable it, but globally, fewer than 2% do and it's easy to detect that they have and present a non-JavaScript version of your page (or a message saying your page isn't accessible without). Also, note that JavaScript is not a plug-in for web browsers; all popular browsers (and most niche browsers) support it natively.
Flash would be your next stop, but despite the Flash plug-in having great penetration there are more users without Flash than without JavaScript (anyone using an iPhone or iPad, for instance). Also, since Flash has been used so heavily for irritating advertising, a lot of people install Flash blockers that prevent the Flash app from running by default, requiring them to click on it to run it. (And of course Flash is closed and proprietary.)
There's also Silverlight from Microsoft (also a plug-in) and the open-source version Moonlight, but there are a lot more people without Silverlight/Moonlight than without Flash.
At the end of the day, you need code running on the end-user's computer, which means they control whether that code is allowed to run — by enabling/disabling JavaScript, by installing or not installing Flash (and using or not using Flash blockers, since it's used for so much irritating advertising), etc.
There is no alternative to "client side programming" for doing "client side actions". Evey option that exists (JS, Flash, Shockwave, Silverlight, Unity, Dart, etc.) can also be disabled.
The purpose of this is to allow the user to control every data request himself and protect him from JS or 3rd party plugins security flaws.
JavaScript is not meant to show page content to the user. For that you have HTML.
It's not even meant to style the page. There is CSS for that.
With HTML and CSS the page content can be seen by search engines, and by people using different devices and browsing methods thanks to CSS, even impaired users.
JavaScript is meant to enhance the functionalities of a web page by allowing a smoother navigation for the user. It should not be used to show content impossible to see if JS is being disabled.
If using AJAX, be sure that each content loaded with AJAX may also be accessible if a user has JS disabled using normal links.
First develop your pages without thinking about JavaScript or other scripting/plugins technologies. Let your pages be fully navigable for every user and every browser.
Then, use JavaScript to enhance the site navigation and give users with JS enabled the best user experience possible.
Question: What precautions should I take when I let clients add custom JS scripts to their pages?
IF you want more details:
I am working on a custom CMS like project for a company, The CMS has number of "groups" that each subscriber "owns" where they do their own thing.
The new requirements is that some groups want to add google analytics to see how they are doing. So I naturally added a column in the table and made code adjustements so if there is some data in that column, I just use the following line in master page to set the script out:
ScriptManager.RegisterClientScriptBlock(Page, typeof(Page), "CustomJs", CustomJs, true);
It works just fine, only, It got me thinking...
It's really easy for someone with good knowledge of how to access cookies etc from from js. Sure, each group is moderated and only super admin can add this javascript, sure, they wouldn't be silly enough to hack their own group. Each group has their own code so its not possible to hack other groups BUT STILL
I am not really comfortable in letting user's add their own javascript codes.
I could monitor each group myself, but the groups are growing really quick and I will hit a time when I will no longer be able to do that.
So, to brief it up: What precautions should I take to avoid any mishaps ?
ps: did try to google, no convincing answers anywhere.
Instead of allowing the users to add their own Javascript files, and given that the only requirement here is for google analytics, why not just let them put their analytics ID into the CMS and if it's present, output the relevant Google Analytics code?
This way you fulfill the users requirement and also avoid the need to protect against malicious scripting.
Letting users use Javascript is in general, a very bad idea. Don't do it unless you have to.
I once I had a problem where I need to let clients use Javascript, but, the clients weren't necessarily trusted, so, I modified cofeescript so that only a small subset was compilable to javascript, and it worked pretty well. This may be waaaay too overkill for you.
You should not let your users access cookies, that's always a pain. Also, no localStorage or webSQL if you're one of the HTML5 people, and, no document.write() because that's another form of eval as JSLint tells you.
And, the problem with letting people have javascript is that even if you believe you have trusted users, someone may get a password, and you don't want that person to get access to all the other accounts in the group.
Automatically recognizing whether some JavaScript code is malicious or sandboxing it is close to impossible. If you don't want to allow hacking your site you are left with only few options:
Don't allow users to add JavaScript at all.
Only allow predefined JavaScript code, e.g. for Google Analytics.
Have all custom JavaScript inspected by a human before it is allowed to display on the site. Never trust scripts loaded from third party sites - these can change from one day to another and turn malicious.
If you have no other choice, you may consider separating path/domain of user javascripts (and cookies).
For example your user have page:
user1.server.com
and you keep user pages at
user1.server.com
So, if you set session cookies to the user1.server.com, it'll render them unobtainable for user scripts from other domains (e.g. user2.server.com).
Another option may be executing all user's javascript at server JS engine (thus controlling all it's I/O and limiting access to browser resources).
There is no simple and easy solution anyway, so better consider using options from other answers (e.g. predifined script API, human inspection).
I'm creating a blog, but I need box-shadows for my boxes, so I'm asking the following.
Is it good to add shadows via a)images/css or b)javascript?
I've heard that lot of people don't have javascript enabled while browsing, so is there this a problem? It would be easier and simpler to create these shadows with javascript than adding a million divs and positioning them.
EDIT: I found this page: http://www.w3schools.com/browsers/browsers_stats.asp and it says that almoset every user has js enabled.
You could use JavaScript for your layout, but the general principal that you should keep in mind is that your HTML should be semantic: the elements on the page should have a meaning; it should project a structure that goes beyond the design of the page (although that structure can certainly be used as an indcator for the design aspects as well).
When this principal is applied, using JavaScript can help with providing the style you wish to project given the semantic meaning of the page.
Also, you should check your server logs (your hosting provider should have some sort of analytics tool/report available) which should tell you what browsers and versions are being used to visit your site. With that information, you can get a good feel for the people that you are currently reaching.
If you are using some sort of analytics package (e.g. Google Analytics) then you can possibly see the delta between two periods of time for the new visitors to your site as well, and try to gauge the capability of the browsers that new users will be using when they visit your site.
A few things to consider when using JavaScript to manipulate the DOM on the front end:
If you are using JavaScript to manipulate a good deal of the content, it's going to be a client-side process, and that can slow down the rendering of your page. You might want to consider a theme/template for your blog/cms which gives you the styling that you want and is rendered through CSS on the server-side.
Search engines do not execute your JavaScript. Because of this, you want to avoid manipulating the indexable content at all costs. You want your content to be embedded in the HTML as it is sent from the server. Using AJAX or other JavaScript to manipulate certain things is fine, but when it comes to your content, unless you are stylizing it, do not use JavaScript to manipulate it
Use CSS box-shadow for nice, up-to-date browsers: http://css-tricks.com/snippets/css/css-box-shadow/ (requires no extra markup)
And for most everyone else, serve up your js solution.
You should do it the easiest way for you and allow the page to degrade gracefully for those without JS (If you think you need to consider them, as today, I don't see any point in building none JS sites or building sites for no-js users).