People will be able to see the javascript confirm link in the status bar of the browse. So, is that code below secure enough and how to hide the javascript to DONT show this: javascript:a = confirm('Are you sure you want to purchase this reward?'); if (a) { location.href='./?page=vote&act=rewards&id=8'} else void(0)
Script:
if ($_SESSION['nVotePoints'] >= $data['nCost']) {
$url = './?page=vote&act=rewards&id=' . $data['id'];
$confirm = "javascript:a = confirm('Are you sure you want to use purchase this reward?'); if (a) { location.href='{$url}'} else void(0)";
$data['URL'] = $confirm;
}
else
$data['URL'] = 'javascript: alert(\'' . stripslashes(Template::GetLangVar('VOTE_NEED_VP')) . '\');';
$column[$i++] = Template::Load('vote-reward-column', $data);
Kind Regards.
Keep in mind that even if you could hide the JavaScript, this would not be a secure system. Someone can fire up WireShark, IE's F12 Developer Tools, Firefox' Firebug, or Chrome's Developer Tools and see exactly which page things go to, or debug any call that touches DOM, even if your code is complete gibberish.
If you want to secure things like this you can't trust the client, you need to do it on the server. Otherwise someone can write their own code that calls your service, runs no JavaScript at all, and completely bypasses your validation logic.