W3C home > Mailing lists > Public > www-style@w3.org > January 2000

Off-topic: form validation (was: user!important)

From: <JOrendorff@ixl.com>
Date: Mon, 24 Jan 2000 11:40:36 -0500
Message-ID: <CD8E2CDBC6D0D111ACB900805FBBD97E0263013B@mem-131.ixl.com>
To: www-style@w3.org
> On Mon, 24 Jan 2000, Matthew Brealey wrote:
> >>> Any scripts that perform validation are suddenly no longer able to
> >>> rely on the fact that elements are only displayed when
> >>> appropriate.
> >> Client-side scripts should not be used for validation.
> > Not strictly true IMO - you should use them to filter out the 'no
> > brainers', but some data require additional server-side validation.
> 
> No. Client-side scripts should *absolutely* *never* be used for
> validation. If they are used to simplify the user's life (e.g.,
> checking dates are valid and popping up a dialog if they are not) then
> the checking should *still* be done on the server.
> 
> Basically, authors can *never* rely on *anything* happening on the
> client side. They *must* expect to receive garbage input.

A site must do complete server-side validation to avoid processing bad
or malicious data in a dangerous way.  That's a crucial security
measure.

But a site may validate client-side too, for the user's convenience.
It's a duplication of effort, but it can be worth the time.

-- 
Jason Orendorff
Received on Monday, 24 January 2000 11:41:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:03 GMT