On Mon, 20 Nov 2000, Charles McCathieNevile wrote: > On the server when the page is submitted: > > if (validated=="no") { valider() } > else { reserver() } The aim is clear: to offer a convenient and fast-acting correction of bad input at the client side, to save the round trip to the server. So far, so good. But if this code means what I think it means, then (quite irrespective of accessibility) I'm afraid there is a problem, since a malicious user needs only to edit the source to claim that client-side validation was done when in fact it wasn't, in order to bypass the validation checks. It's a firm principle that the server must _always_ validate the inputs, no matter whether it thinks they have been pre-validated on the client-side or not. best regardsReceived on Monday, 20 November 2000 15:23:36 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:47:08 GMT