Control HTML without javascript

This is something I have known about for a long time. It is advanced and can mostly be used for Cross Site Request Forgeries (CSRF). Not that I condone these, but the best way to defend yourself against hackers is by knowing as much as they do.

In some cases users turn javascript off in their browsers (I do) for security reasons. HTML has just about no scripting capabilities if you discard the FOR attribute on the LABEL tag. It is possible to trick a user into submitting a form by them simply highlighting text on a page. The FOR attribute binds a label to another element, which is some sort of scripting, I guess.

Well, by simply wrapping the BODY of a page in a LABEL tag, which contains text and HTML, the LABEL and its contents become a button through binding of the FOR. This all happens behind the scenes. This means that whenever you select text or click on the body of the page, the binding becomes active, and it is possible to submit a form without any scripting at all!


<label for="action">
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor
incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud
exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore
eu fugiat nulla pariatur.

<form action="" method="get">
 <input type="submit" id="action" style="display:none;">

On my example I show a POC on how you could automatically log someone out of twitter by them simply clicking on a page. Twitter has fixed this CSRF by simply checking the referrer on the browser: If it doesn’t match, it sends you to another logout page for you to confirm your action.

This is good knowledge. Use it to protect yourself and not to harm others.

I use a plugin for FireFox called NoScript. This plugin will block all scripts on a per-domain basis. If you trust the domain, then you can enable those scripts. This is extremely helpful because I visit many hacked packages on a weekly basis and I do not want my computer to get a virus. This plugin will protect you from at least 70% of web attacks. I highly encourage you to use it.

The Core Team
Editorial Staff Members at 'corePHP'
Editorial staff for the Core Technology Blog for 'corePHP' - news, views insights and advice for e-commerce, marketing technology , web design and development.

4 thoughts on “Control HTML without javascript

  1. thatscool

    Wow…sneaky! Read the link to the wiki article on CSRF…that’s some scary stuff! I’m amazed at how people come up with this stuff. I have trouble modifying a wordpress theme.

    Your twitter log-out example was a good, simple example of how this works.

    Nice theme, btw.

  2. Morris Soucie

    In terms of security models, especially for companies, I have to go along with you completely. You’ll find so a lot of options in the marketplace, it really is crucial for any specialist to be aware what is most effectivefor his or her scenario as well as specific building. The ideas you are offering will be a excellent support to companies and security professionals alike. Many thanks again!

  3. Ward Reef

    Neat blog! Is your theme custom made or did you download it from somewhere? A theme like yours with a few simple tweeks would really make my blog stand out. Please let me know where you got your design. Many thanks

    1. Michael Pignataro


      We custom designed our theme. If you need any custom designing of development please visit here to learn more about our services.

      Please let us know if you have any further questions.

      Michael Pignataro

Comments are closed.