1

I am running a small site and as every web-developer I use Javascript to interact with the client-side.

Currently I have all of my buttons the attribute, onclick=() that means, when somebody visits my site and inspects the HTML code will find those onclick=() calls. I have visited other popular websites, such as StackOverflow, and it seems like they don't use the onclick=() property for all the buttons.

Is this a securiry flaw? Should I rechange my JS code to just listen when some button is clicked?

Thanks in advance

pullhyphoonprotocol
  • 127
  • 9
  • Inline attributes like `onclick`, `onkeydown`, and `onkeyup` are obsolete and should not be used. Event listeners should be used instead. – no ai please Jun 06 '21 at 19:31

1 Answers1

3

While there are plenty of reasons to avoid using onclick attributes (notably a lack of separation of concerns, lower reusability of code, and some unintuitive scoping rules) security is not one of them.

Any code you ask the browser to run is completely under the control of the owner of the browser. It is designed for their convenience, not that of the website it is visiting.

If exposing the logic of the JS to the user is a security problem then you need to solve it by moving the logic to server-side code.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335