- From: Alan J. Flavell <flavell@a5.ph.gla.ac.uk>
- Date: Mon, 20 Nov 2000 20:23:19 +0000 (GMT)
- To: Charles McCathieNevile <charles@w3.org>
- cc: WAI GL <w3c-wai-gl@w3.org>
On Mon, 20 Nov 2000, Charles McCathieNevile wrote:
> On the server when the page is submitted:
>
> if (validated=="no") { valider() }
> else { reserver() }
The aim is clear: to offer a convenient and fast-acting correction of
bad input at the client side, to save the round trip to the server.
So far, so good.
But if this code means what I think it means, then (quite irrespective
of accessibility) I'm afraid there is a problem, since a malicious
user needs only to edit the source to claim that client-side
validation was done when in fact it wasn't, in order to bypass the
validation checks.
It's a firm principle that the server must _always_ validate the
inputs, no matter whether it thinks they have been pre-validated
on the client-side or not.
best regards
Received on Monday, 20 November 2000 15:23:36 UTC