Hello!
I’m using a WYSIWIG HTML editor where users can enter html/text that will then be visible by others on my website. The editor itself converts “dangerous” html to html entities. The problem is that a user could turn off javascript and enter what they’d like. I’ve added the code:
<noscript>
<style type="text/css">
#javascript_detection {display:none;}
</style>
<div class="noscriptmsg">
My site relies on javascript for part of its functionality, so be sure that it's enabled in your browser.<br />If you're not sure how to do this, go to Help under your browser's menu.
</div>
</noscript>
And wrapped each page in a javascript_detection tag. This way, if someone does disable the javascript, they won’t be able to actually get to the page (I think!).
Is this method a sound way to secure this aspect of my site. (And, as a PS, I protect against SQL injection on the server side of things).
Thanks so much,
Eric