Prevent form injection with JavaScript?
I have a page where users must create a custom profile picture using an
HTML5 Canvas and JavaScript. The base64 image data of the canvas is stored
in a hidden input field element in a form where they enter the rest of
their user information. I only want people on the site having their
profile pictures made with my JavaScript / Canvas designer, but users are
able to go into the Chrome console, or use the address bar, or a
user-script to set the contents of the hidden input field to the base-64
image data of their choice (not made with my canvas).
How can I prevent people from doing this? I was thinking maybe some sort
of method using AJAX to POST data to a PHP file which sets $_SESSION data,
but I can't think of a way to do that which would prevent users from
injecting javascript to change the parameter.
No comments:
Post a Comment