- From: <JOrendorff@ixl.com>
- Date: Mon, 24 Jan 2000 11:40:36 -0500
- To: www-style@w3.org
> On Mon, 24 Jan 2000, Matthew Brealey wrote: > >>> Any scripts that perform validation are suddenly no longer able to > >>> rely on the fact that elements are only displayed when > >>> appropriate. > >> Client-side scripts should not be used for validation. > > Not strictly true IMO - you should use them to filter out the 'no > > brainers', but some data require additional server-side validation. > > No. Client-side scripts should *absolutely* *never* be used for > validation. If they are used to simplify the user's life (e.g., > checking dates are valid and popping up a dialog if they are not) then > the checking should *still* be done on the server. > > Basically, authors can *never* rely on *anything* happening on the > client side. They *must* expect to receive garbage input. A site must do complete server-side validation to avoid processing bad or malicious data in a dangerous way. That's a crucial security measure. But a site may validate client-side too, for the user's convenience. It's a duplication of effort, but it can be worth the time. -- Jason Orendorff
Received on Monday, 24 January 2000 11:41:19 UTC