How can you check to see if someone has modified your HTML (using something like Firebug)?

Is there an easy way to check to see if someone has modified your HTML? I am currently writing some code that takes data from the DOM and submits it to the backend where it will of course开发者_如何学C be sanitized and checked for accuracy, but I was wondering if there was a way to kind of head that off at the pass.

For instance, if I have a hidden input with a number in it and someone modifies that number in Firebug before submitting it to my server, is there a way to check to see if the actual HTML was modified before submitting the request to the server and basically telling them HEY BUDDY STOP MESSING WITH MY STUFF.

I'm not entirely sure this is possible, but if it is, I do not know how to do it.

Hmm, I'd say that the HTML on your users' browser is actually theirs. (i.e. nothing wrong with greasemonkey) Stuff isn't yours again until it arrives at your server in the form of the URL, HTML form input parameters, and cookies -- all of which can of course be modified unbenknownst to you. So you should continue to validate such data; there's no magic bullet to allow for a trusted client experience.

You could send along with your hidden value another value that is the result of a complex computation you performed involving the hidden value and some secret value that never gets sent to the client. Then when you receive the hidden value simply perform another calculation that reverses the first one. If you don't get your secret value back then you know they have changed the hidden value.

Of course, this is still not going to be that secure as someone can easily do some experiments on your site and find out what that secret value is based solely off of your hidden value and verification value and then change the verification value as well.

It is possible to come up with a computation that will make it rather difficult (but not impossible) to crack this type of verification. However, with the time and effort that would be involved in coming up with such a computation and then staying on top of it to ensure no new exploits come out for it, you would probably be better off just sanitizing the data as you receive it.

In my opinion you are better off not relying on any data received by the user. There are certainly tricks that can be done to do what you ask and this may be one of them but most all of these tricks are ones that can most likely be figured out by an attacker given enough time.

You could see if somebody is changing hidden input elements with Firebug using JavaScript, but the idea sounds silly.

All your critical validation should be done server-side.

You can't rely on anything the client sends being accurate. If somebody really wanted to "mess with your stuff", they could easily (for example) write a Python script to submit data to your server.

Here's a jQuery-based sample of what I was alluding to in my comment:

Live Demo #2

• Click Submit: the background will turn green - nothing was changed.
• Change the value of a hidden input, click Submit: the background will turn red - something was changed.

HTML:

<form id="myForm" method="post" action="">
    <input type="hidden" value="123" />
    <input type="hidden" value="456" />
    <input type="submit" />
</form>

JS #2:

$('#myForm input[type="hidden"]').each(function() {
    $(this).data('originalValue', $(this).val());
});

$('#myForm').submit(function(){
    $(this).find('input[type="hidden"]').each(function() {
        if ($(this).val() != $(this).data('originalValue')) {
            $('body').css('background', 'red');
            return false;
        }
        //just for testing:
        $('body').css('background', 'green');
    });
    return false;
});

There are things you can do in JavaScript, like keeping a copy of the expected value buried in JavaScript:

var originalHiddenFieldValue = document.getElementById("myHiddenField").value;

... later...

if (originalHiddenFieldValue !== document.getElementById("myHiddenField").value)
    alert("Hey, stop it!");

At the end of the day though, all the user would have to do is detach any event handlers on your submit button to override any validation and your code would be useless. If they're smart enough to be overriding values using Firebug, you can make a good bet that they'd be willing to go a bit further to modify your scripts too.

If you're trying to check for these things, the only way you can do it with 100% confidence is to check the hidden field server-side, and compare the values, as you have said you are doing anyway.