[whatwg] Client-side verification will never work in the real world

Ian Hickson ian at hixie.ch
Wed Jun 30 07:25:33 PDT 2004

On Tue, 29 Jun 2004, Jason Lustig wrote:
> I just recently read through the Web Forms 2.0 spec draft. I must say,
> it looks awesome, very exciting from the POV of a web app developer
> (i.e. me), and it would definitely make writing web apps SO much easier
> with these extensions.
> However - I am a believer that client-side form vefification - while a
> nice trick that will take care of most users - never will work with
> real-world, open (i.e. anyone can access them) web apps, like
> BBSes/forums/blogs.

Indeed. As the spec says:

# Servers should still perform type-checking on submitted data, as
# malicious users or rogue user agents might submit data intended to
# bypass this client-side type-checking. Validation done via script may
# also be easily bypassed if the user has disabled scripting.
# Additionally, legacy user agents do not support the validation features
# described in this specification and will therefore submit data that has
# not been checked.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list