- From: Charles McCathieNevile <charles@w3.org>
- Date: Tue, 21 Nov 2000 13:01:07 -0500 (EST)
- To: <A.Flavell@physics.gla.ac.uk>
- cc: WAI GL <w3c-wai-gl@w3.org>
The assumption is that the user is not deliberately trying to mess the server
up, but that the processing has no error-traps built in. I could put a
disclaimer into the example, but I think the security issue is more or less
tangential to the accessibility question.
cheers
Charles
On Mon, 20 Nov 2000, Alan J. Flavell wrote:
On Mon, 20 Nov 2000, Charles McCathieNevile wrote:
> On the server when the page is submitted:
>
> if (validated=="no") { valider() }
> else { reserver() }
The aim is clear: to offer a convenient and fast-acting correction of
bad input at the client side, to save the round trip to the server.
So far, so good.
But if this code means what I think it means, then (quite irrespective
of accessibility) I'm afraid there is a problem, since a malicious
user needs only to edit the source to claim that client-side
validation was done when in fact it wasn't, in order to bypass the
validation checks.
It's a firm principle that the server must _always_ validate the
inputs, no matter whether it thinks they have been pre-validated
on the client-side or not.
best regards
--
Charles McCathieNevile mailto:charles@w3.org phone: +61 (0) 409 134 136
W3C Web Accessibility Initiative http://www.w3.org/WAI
Location: I-cubed, 110 Victoria Street, Carlton VIC 3053, Australia
September - November 2000:
W3C INRIA, 2004 Route des Lucioles, BP 93, 06902 Sophia Antipolis Cedex, France
Received on Tuesday, 21 November 2000 13:01:15 UTC