W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2004

[whatwg] Client-side verification will never work in the real world

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 30 Jun 2004 14:25:33 +0000 (UTC)
Message-ID: <Pine.LNX.4.58.0406301424160.27872@dhalsim.dreamhost.com>
On Tue, 29 Jun 2004, Jason Lustig wrote:
>
> I just recently read through the Web Forms 2.0 spec draft. I must say,
> it looks awesome, very exciting from the POV of a web app developer
> (i.e. me), and it would definitely make writing web apps SO much easier
> with these extensions.
>
> However - I am a believer that client-side form vefification - while a
> nice trick that will take care of most users - never will work with
> real-world, open (i.e. anyone can access them) web apps, like
> BBSes/forums/blogs.

Indeed. As the spec says:

# Servers should still perform type-checking on submitted data, as
# malicious users or rogue user agents might submit data intended to
# bypass this client-side type-checking. Validation done via script may
# also be easily bypassed if the user has disabled scripting.
# Additionally, legacy user agents do not support the validation features
# described in this specification and will therefore submit data that has
# not been checked.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 30 June 2004 07:25:33 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:34 UTC