Re: [Cppcms-users] Why wikipp calls document.write() to generate simple <form> tag?
Brought to you by:
artyom-beilis
Menu
▾
▴
Re: [Cppcms-users] Why wikipp calls document.write() to generate simple <form> tag?
|
From: Artyom B. <art...@gm...> - 2016-01-25 10:26:29
|
On Mon, Jan 25, 2016 at 11:51 AM, CN <cn...@fa...> wrote: > Aha! Artyom, many thanks again for yet another precious lesson of > secured HTML design! > > I do not see this recipe in tutorial. Isn't it a good idea to add it to > "security design" chapter? Not really... It is one of 1000 tricks to work on Bots. If it becomes common than bot would know how to find them. i.e. they wouldn't run entire JS engine but rather search for document.write. See it isn't really security feature as it isn't enhances security it rather limits users who does not run JavaScript to use the form. Which isn't always desirable. It works it particular case but it does not help in general. Fighting spammers is never ending battle that needs you to trick a spammer or detect one. In my bot fight I needed to do many things, sometimes that are very tight to a specific application domain. So there is no "general way to go" Finally it is your effort vs his effort - your trick vs his. It is very different from general secure programming which is about stopping bad guy who knows exactly what are you doing and can do whatever he wants to hack your system. Artyom |
