javascript javascript可以模拟按钮点击吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17371569/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can javascript simulate a button click?
提问by AndrewB
I am designing a site where it would be problematic if macros were allowed to run freely.
我正在设计一个网站,如果允许宏自由运行,就会出现问题。
I have thought of a way to stop a macro made by simulating the HTTP requests from a button click but this would be in vain if they could insert javascript scripts which just "click" the button and proceed as a normal user would.
我已经想到了一种通过模拟来自按钮单击的 HTTP 请求来停止宏的方法,但是如果他们可以插入仅“单击”按钮并像普通用户一样继续操作的 javascript 脚本,这将是徒劳的。
By simulating a button click, I mean, the button is pressed and the Form the button is in runs with the php code associated with it.
通过模拟按钮点击,我的意思是,按钮被按下,按钮所在的表单与与之关联的 php 代码一起运行。
Logic tells me javascript can do this but I would like to know for sure, thank you for any input!
逻辑告诉我 javascript 可以做到这一点,但我想肯定地知道,感谢您的任何输入!
~Andrew
~安德鲁
回答by Vadim
A button may be allways clicked programmatically. For example you may have some page with form like this:
一个按钮可以总是以编程方式点击。例如,您可能有一些具有如下形式的页面:
<form>
<input type="text" />
<button>Do something</button>
<input type="submit">
</form>
than it is possible just to open debug cosole and type
比可能只是打开调试cosole并输入
document.getElementsByTagName('button')[0].click();
which will click the button, or
这将单击按钮,或
document.getElementsByTagName('input')[1].click();
which will click the submit button of the form, or just
这将单击表单的提交按钮,或者只是
document.forms[0].submit();
to submit the form without clicking the button.
无需单击按钮即可提交表单。
There is no way to prevent user from mastering JavaScript code on client. You have to add some validation on server side in order to prevent unwanted user actions.
没有办法阻止用户在客户端掌握 JavaScript 代码。您必须在服务器端添加一些验证以防止不需要的用户操作。
回答by David Karlsson
the only thing you can do is validate the request on the server.
您唯一能做的就是验证服务器上的请求。
once you hand the page over to a client, you have no technical control over how it might be used.
一旦您将页面交给客户,您就无法控制如何使用它。
What you can do for example, from:
你可以做什么,例如,从:
Say you're making javascript game. You use AJAX to send the score of the player to the server for logging. After looking at the script, a malicious user could run your AJAX code to send a score of 1,000,000 even if they earned only 5,000.
假设您正在制作 javascript 游戏。您使用 AJAX 将玩家的分数发送到服务器进行记录。查看脚本后,恶意用户可以运行您的 AJAX 代码发送 1,000,000 的分数,即使他们只赚了 5,000。
You can't prevent this from happening on the javascript side. However, there should some way to authenticate AJAX requests on the server side, you might be able to pass a security "token" to javascript that a hacker couldn't get ahold of.
您无法阻止这种情况发生在 javascript 方面。但是,应该有一些方法可以在服务器端对 AJAX 请求进行身份验证,您可能能够将安全“令牌”传递给黑客无法获得的 javascript。
