[whatwg] Client-side verification will never work in the real world
Ian Hickson
ian at hixie.ch
Wed Jun 30 07:25:33 PDT 2004
On Tue, 29 Jun 2004, Jason Lustig wrote:
>
> I just recently read through the Web Forms 2.0 spec draft. I must say,
> it looks awesome, very exciting from the POV of a web app developer
> (i.e. me), and it would definitely make writing web apps SO much easier
> with these extensions.
>
> However - I am a believer that client-side form vefification - while a
> nice trick that will take care of most users - never will work with
> real-world, open (i.e. anyone can access them) web apps, like
> BBSes/forums/blogs.
Indeed. As the spec says:
# Servers should still perform type-checking on submitted data, as
# malicious users or rogue user agents might submit data intended to
# bypass this client-side type-checking. Validation done via script may
# also be easily bypassed if the user has disabled scripting.
# Additionally, legacy user agents do not support the validation features
# described in this specification and will therefore submit data that has
# not been checked.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list