Skip to content
Sign upLog in
This post is read-only. Explore Repls and connect with other creators on Community.View Community
The info in this post might be out of date, check out our docs instead. View docs
146

Actual un-clickable button (for real this time)!

Baconman321
Baconman321

Disclaimer!

There always has been (and always will be) ways to bypass this since devtools is more powerful than JavaScript itself. Don't expect it to be actually "unclickable"!


After seeing

@invisibleOne
's post, I realized that there are soo many ways to bypass the "clicking" for his project.

I decided to take matters into my own hands and actually make my button "un-clickable". None of the methods described in invisibleone's post works now (not even mine)!

See if you can get this button >:)

Oh and BTW:

Calling the function or alerting the message that the function alerts is not counted as the solution. I can't stop liars, but if you find a way around it then please tell me.

People who have clicked the button (legitimately. Those who don't post their reasons or their reasons aren't valid (AKA: they aren't actually clicking it) won't get on the "leaderboard"):

  • Wilke000
  • 1andonlyaether
  • Codemonkey51
  • DSAEvan
  • darkdarcool
  • DrakeFletcher2

Ok so many people are doing it. Great guys!

I'm not going to add any more because so many people are doing it.

I am so proud of you replers! You are all such great critical thinkers!

Keep in mind guys that I can only do so much because most browsers give you more control over JavaScript than JavaScript itself...

Oh, wow

I have found and prevented at least 4 methods of clicking the button via cheats since I made this post:

  • Focusing the element using HTMLButtonElement.prototype.focus()
  • Mutating globalThis.requestAnimationFrame
  • Tabbing/editing the tab index
  • Modifying the size/position of the element (to make it stay in one place)
  • Right clicking

Ok guys

You now can't use window.alert :D

Ahh, yes. Now I can tell who actually clicked it and who didn't >:)

Yay, we got on trending!!!

Oh and guys... the message saying "lol nice try guys ;D" means you didn't get it.

Fixed the right click hack >:D

(Possibly) also fixed the right clicking address bar cheat :D (button will be disabled. You can click it, but no "You got me!")

Yoo guys, if the button is gray that is on purpose. It's disabled when the web page loses focus (to prevent the right click cheat... which still works ARGH).

You got me guys, I can't defend this button forever :(

2 years ago
You are viewing a single comment. View All
14
ChezCoder
ChezCoder

hm...
hm

if you wanted it to be unclickable that bad, just give the button the disabled attribute, <button disabled>Cant Click</button> and disable attribute changing.

HTMLElement.prototype.setAttribute = function() { alert("Sike Gottem"); }
2 years ago
1
sojs
sojs

this is very good.

@ChezCoder

2 years ago
1
1
1
Baconman321
Baconman321

@ChezCoder
Ok ez fix >:)

Btw glad to see you back buddy!

Oh, wait... it's already fixed because I froze HTMLButtonElement, so it should prevent setAttribute from being changed... oh wait I forgot to freeze the prototype! Thanks :)

2 years ago
1
Baconman321
Baconman321

@ChezCoder
And yea you could have the disabled attribute, but there is supposed to be a chance to click it without the obvious.

Also, alert won't work cuz it's inside a code block and is not in globals.

2 years ago
1
xxpertHacker
xxpertHacker

@ChezCoder
Lmao, HTMLElement#setAttribute actually looks up the prototype until it finds Element#setAttribute ;)

The bypass from there is simple:

Element.prototype.setAttribute.call(button);

JS cannot be sandboxed by itself, it's hell to try.

2 years ago
1
Baconman321
Baconman321

@xxpertHacker
Too, true.. too true.

Can't I delete setAttribute tho?

2 years ago
1
Baconman321
Baconman321

@xxpertHacker
Well, I mean.. imagine if you had even more control (over the client's computer) with JS... it would be a nightmare.

Someone thought they could prevent ending processes in NodeJS (or more or less they were kidding).

2 years ago
1
xxpertHacker
xxpertHacker

@Baconman321
I don't like NodeJS for a thousand reasons, among them, the execution of un-sandboxed JS, with higher privilege than browser JS.

Oh shoot, seems like that sounds like a perfect use case for Wasm though, since it's always safe.


Btw, you need SES in order to sandbox your button... otherwise, I could just assess a new Element from another window if I wanted to.

Actually, no, you just stright-up can't defend that button.

2 years ago
1
ChezCoder
ChezCoder

@Baconman321
ive been fumbling with it for a few minutes now and cant find anything, good job!

2 years ago
1
Baconman321
Baconman321

@ChezCoder
:D

My military strategies have worked well

2 years ago
1
TinyMooshmallow
TinyMooshmallow

@ChezCoder
Or you can use touchscreen

2 years ago
1
ChezCoder
ChezCoder

@Baconman321
make the repl disable the button if the user is on mobile, im sure you can find ways to detect this by searching google :)

2 years ago
1
Baconman321
Baconman321

@ChezCoder
mabe :)

This is kinda ded ngl.

2 years ago