Prevent malicious user from executing JavaScript

Question

In my JSP I have a function like fnGetTicketDetails:

function fnGetTicketDetails(record){
    $(\"#TicketNumber\").val(record);
    $(\"#TicketDeta         


        

Answer 1

You can't prevent the user from doing this.

You must treat all input from the user including all requests sent by your JavaScript as untrusted.

That means that the server must verify that the request from the user is legitimate (i.e. it must check if the current user has permission to read the specified detail).

Relying on hidden fields and JavaScript to keep your data secure is a very easy way of getting your data stolen.

Answer 2

You can't. Any data stored on the client is going to be visible to the end user.

The issue here is that your server is willing to show the details to anyone who asks for them. Don't even try to stop the user asking. Just do a check server side to make sure that that user is allowed to view those ticket details. If they're not, don't deliver them!