Turning off javascript and security

Hello!

I’m using a WYSIWIG HTML editor where users can enter html/text that will then be visible by others on my website. The editor itself converts “dangerous” html to html entities. The problem is that a user could turn off javascript and enter what they’d like. I’ve added the code:

<noscript>
    <style type="text/css">
        #javascript_detection {display:none;}
    </style>
    <div class="noscriptmsg">
   My site relies on javascript for part of its functionality, so be sure that it's enabled in your browser.<br />If you're not sure how to do this, go to Help under your browser's menu.
    </div>
</noscript>

And wrapped each page in a javascript_detection tag. This way, if someone does disable the javascript, they won’t be able to actually get to the page (I think!).

Is this method a sound way to secure this aspect of my site. (And, as a PS, I protect against SQL injection on the server side of things).

Thanks so much,

Eric

I agree with your logic 100% because by today’s statistics only 5% of the world has JavaScript disabled which when you think about it gives everyone a 99.95% chance of never having a user visit without JavaScript enabled.

I just figured that since TinyMCE is already doing it for me…why rock the boat?

My main concern was that if someone disables the javascript that I’d run into problems. But, it sounds like that you agree with me that if they were to do this, they’d be out of luck since no page would show.

Thanks for the feedback,

Eric

What you have is perfectly fine but if you are using PHP as a back end processor what you can do is escape and convert the inputted code using $_POST values and some PHP code to emulate what the JavaScript does.

Wouldn’t that be 95%, since 100 minus 5 is 95?