Tom Markle wrote:
You need to take steps to prevent malicious scripting-
currently various
forms of
[snip]
That runs locally and uses basic javascript to change
the 'wpEdittime' var
to a few seconds before current time could be used to coordinate disruptive
attacks.
Client-side code is, naturally, not under our control, so there's not anything
to "prevent".
If you're referring to offsite form submissions automated with JavaScript, we
already have protection in place to prevent this for registered users. At most
it would be an annoyance for unregistered accounts as there's no security issue
-- you can already submit edits as an unregistered visitor.
Since the protection requires maintaining session state, requiring it for
anonymous editors would also cut out users who don't accept cookies.
I know that it is a simple matter to fix entries, but
it is a
simpler matter to stick a
if(getenv("HTTP_REFERER")='207.142.131.202'){}else{//fail handler}
or similar line in the submit function.
Referrers are utterly unreliable: first, the client can always falsify them.
Second, requiring it will cut out anyone using a privacy proxy.
-- brion vibber (brion @
pobox.com)