Section 4.8. JavaScript
4.8. JavaScriptIn principle, JavaScript applications, embedded in web pages, are a great way for the bad guys to cover their tracks. In principle, you could write scripts to prevent someone from viewing the source HTML for a page and to manipulate the URL displayed in the status bar and browser history. Poke around the Web and you will find lots of example scripts claiming to do these and other feats of engineering. The problem is that most of them do not work. While most browsers support JavaScript, and most have that support turned on by default, recent versions tend to disable functions that interfere with the way the browser functions. You can program image rollovers and form validation just fine, but try anything else and it may not work. These restrictions are a direct response to people trying to trick users or exploit security holes that give them access to files and so on. Some of the tricks still work in certain browsers. Here is a snippet of HTML that displays a false URL in the name of the link and uses JavaScript to rewrite the status bar with the same URL. <a href="http://www.craic.com" onMouseOver="window.status = 'http://www.oreilly.com'; return true;">http://www.oreilly.com</a> This one still works in Internet Explorer 6.0 on Windows. Safari on Mac OS X shows the real target, as does Firefox on Mac OS X, unless you specifically change your preferences to allow JavaScript to mess with the status bar. These scripts can only work if run inside a browser that can interpret JavaScript. In most of our explorations, we will be using a command-line browser that simply fetches the HTML for us. So these scripts, regardless of how sophisticated they may be, serve as no impediment to our explorations. |
