security - Can javascript simulate a button click?

Question

I am designing a site where it would be problematic if macros were allowed to run freely.

I have thought of a way to stop a macro made by simulating the HTTP requests from a button click but this would be in vain if they could insert javascript scripts which just "click" the button and proceed as a normal user would.

By simulating a button click, I mean, the button is pressed and the Form the button is in runs with the php code associated with it.

Logic tells me javascript can do this but I would like to know for sure, thank you for any input!

~Andrew

Answer 1

A button may be always clicked programmatically. For example you may have a page with a form like this:

<form>
    <input type="text" />
    <button>Do something</button>
    <input type="submit">
</form>

then it is possible just to open debug console and type

document.getElementsByTagName('button')[0].click();

which will click the button, or

document.getElementsByTagName('input')[1].click();

which will click the submit button of the form, or just

document.forms[0].submit();

to submit the form without clicking the button.

There is no way to prevent user from mastering JavaScript code on client. You have to add some validation on server side in order to prevent unwanted user actions.