[whatwg] Client-side verification will never work in the real world

Jason Lustig jasonlustig at adelphia.net
Mon Jun 28 21:08:13 PDT 2004

Hi y'all

I just recently read through the Web Forms 2.0 spec draft. I must say, 
it looks awesome, very exciting from the POV of a web app developer 
(i.e. me), and it would definitely make writing web apps SO much easier 
with these extensions.

However - I am a believer that client-side form vefification - while a 
nice trick that will take care of most users - never will work with 
real-world, open (i.e. anyone can access them) web apps, like 

The reason is this: if the only verification going on is on the client 
side, while it sure makes it easier for the developer, if a hacker 
simply used a user-agent that didn't verify data integrity (they 
wouldn't necessarily have to write a new one from scratch either - like, 
say, they could hack mozilla to take out the verification code), they 
could send in garbage and mess up the database.

Oops! There goes all the data...


More information about the whatwg mailing list