Can someone please tell me why users are able to publish news feeds with text of their choice from my application? i think facebook is not putting any check on js function "streamPublish" and users can execute this function in browser on run time and can publish any news feed with any text they want. Can someone guide me how to handle this exploit?
There isn't any way around this. The user can do whatever they want with their own access token. Once an access token is granted to a client it is saved in a cookie. The access token is associated with their user account and your application. The user can take that access token and call any api method that they want with it. However, that access token is associated with the user account of that person, so I don't really see why it is an issue that the user is publishing posts because they are only allowed to publish to their own profile. The users wouldn't be able to publish to other user accounts (unless you are exposing other user's access tokens to the user, which you shouldn't be doing).
in addition to Nathan Totten. Why you are worried no one can stop users or the visitors from any use of JavaScript because JavaScript is render on client side and now a days browsers allows users to run any kind of JavaScript on the browsers so even FaceBook can not block it anyway until unless they come up with enchantment in JavaScript or use some extra encryption of js so users can not understand that.