Re: [commons-validator] Problems with Javascript mask validation..plz Help!

[Eric Giguere]

Hi guys.
Very good point.
So, with all this, I guess there is now no way to define validation 
rules for a form but disabling the javascript side only for a single 
field (like the password in this case).
Like Niall said, there is no way the engine could know that the 
Javascript should not be rendered for a particuliar field, unless it is 
specified in the XML. Anyway update planned in this area?

Thx for the help.
Really appreciate it.
Eric.
Niall Pemberton wrote:
That sounds fine in theory, but I can't see how we could actually implement
that in reality. When the validation javascript is being rendered there is
no knowledge of whether the associated form field is a "password" type or
not and just having the actual validators ignoring password fields isn't
"shipping with secure best practice" if all the rules (min/max lengths,
regular expressions etc) are still rendered in the javascript.
Niall
----- Original Message ----- 
From: "David Graham" <[EMAIL PROTECTED]>
To: "Jakarta Commons Users List" <commons-user@jakarta.apache.org>
Sent: Thursday, January 13, 2005 8:35 PM
Subject: Re: [commons-validator] Problems with Javascript mask
validation..plz Help!

 

Even though you tell the user the password rules they still shouldn't be
able to see the details of how you're validating the password.  I believe
validator should ship with the secure best practices implemented by
default and make the user enable/disable as they want.
David
--- Niall Pemberton <[EMAIL PROTECTED]> wrote:
   

Even though the current javascript mask validator ignores password
fields
the validation algorithm is still revealed since (in Struts) the
javascript
to call that validator with the appropriate regexp is still generated.
I also think that we shouldn't restrict what validation can be specified
since whats a "good idea" to do (or  not do) depends on the situation:
1) For "logon forms" I agree as little information as possible should be
given and I would recommend that only two validation checks are made -
a) a
password must be entered (i.e. required) and b) the password entered
must
match that stored against the user.
2) For creating/changing a password its a different matter, since if
there
are rules such as minimum/maximum lengths or a particular regexp
validation
algorithm - then the user needs to be told what the rules are if they
enter
an invalid password and I don't see a problem with having javascript
validations for this.
IMO we should remove any restrictions on password validations and just
provide some "best practice" advice.
Niall
----- Original Message ----- 
From: "David Graham" <[EMAIL PROTECTED]>
To: "Jakarta Commons Users List" <commons-user@jakarta.apache.org>
Sent: Wednesday, January 12, 2005 8:56 PM
Subject: Re: [commons-validator] Problems with Javascript mask
validation..plz Help!

     

Revealing detailed validation algorithms for passwords on the client
       

is a
     

security issue so validator does not allow it by default.  Also, you
should be able to replace [a-zA-Z_0-9] with \w.
David
--- Matt Bathje <[EMAIL PROTECTED]> wrote:
       

Eric Giguere wrote:
         

Hi all
I have a problemes with the commons-validator 1.1.3 javascript
implementation for validating masks.
I tried to validate user name and password on a form.
For testing purposes, I've set both fields with the same regexp in
           

the
     

validation.xml file:
^[a-zA-Z_0-9][a-zA-Z_0-9!^$&amp;%]{5,14}$
The username get validated ok but not the password. It is
           

possible? Is
     

the fact that the control shows **** as data (password field)
           

breaks
     

the
         

validation?
           

The javascript side of the mask validation only works on fields with
type hidden, text, textarea or file.
Matt
         

---------------------------------------------------------------------
     

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
         

[EMAIL PROTECTED]
     

         

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

       

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
     


__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

   


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]