RE: Validation Frame work
What a good point, especially as IE becomes harder and harder to secure, people are starting to turn off active content, which can include simple innocent js code. I'm a fan of the lowest common denominator approach to using HTML and JS features. -Original Message- From: Bernhard Slominski [mailto:[EMAIL PROTECTED] Sent: Wednesday 25 May 2005 13:35 To: 'Tomcat Users List' Subject: AW: Validation Frame work I agree with Steve, but there is a much simpler possibility that the JS validation does not work: The user can just switch it off in the browser. This might not be just to bypass validation, but maybe just for security reasons, so for a business critical apllications I'd discourage anyone from using it, if you have something like a guestbook, and the validation fails and you end up with something like an entry without email address, so what. Bernhard -Ursprüngliche Nachricht- Von: Steve Kirk [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 24. Mai 2005 20:02 An: 'Tomcat Users List' Betreff: RE: Validation Frame work David is right, JS and serverside validation perform different roles. To expand on his comment a bit more, remember that the requests that your webapp receives could be sent by any HTTP client, not necessarily by a friendly web browser. If someone were so inclined, they could write their own HTTP client to interact with your webapp, that aimed to deliberately submit bad data to your servlet, in which case your JS validation would have been bypassed. What they can't do is bypass your serverside validation (or at least this is much harder). Just one trick that such nasty people might try is to insert JS code in any form fields that you let them create or edit. If this field data is then displayed in other pages of your app, this might cause anyone viewing that page on your site to download a trojan/virus/etc. It's really very easy to do. And this is only one such exploit. There are many others. -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Tuesday 24 May 2005 16:19 To: Tomcat Users List Subject: Re: Validation Frame work Because you should never trust the client. They may not be submitting from your form. Javascript is just a nicety to save the user a whole request/response cycle just to find out a field is missing or wrong. Consider it a security issue. -- David raja buddha wrote: Hi all In struts why do we need validation frame work we have java script to do validations. Is there any extra advantage of using the validation frame work raj _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Validation Frame work
This also does the validation on serverside and it is declarative rather than programatic :) It can be done in a single xml :) no need to write extra code :) html:errors/ does it all for the serverside :) Regards Guru -Original Message- From: raja buddha [mailto:[EMAIL PROTECTED] Sent: 24 May 2005 16:05 To: [EMAIL PROTECTED]; tomcat-user@jakarta.apache.org Subject: Validation Frame work Hi all In struts why do we need validation frame work we have java script to do validations. Is there any extra advantage of using the validation frame work raj _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Validation Frame work
Because you should never trust the client. They may not be submitting from your form. Javascript is just a nicety to save the user a whole request/response cycle just to find out a field is missing or wrong. Consider it a security issue. -- David raja buddha wrote: Hi all In struts why do we need validation frame work we have java script to do validations. Is there any extra advantage of using the validation frame work raj _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Validation Frame work
David is right, JS and serverside validation perform different roles. To expand on his comment a bit more, remember that the requests that your webapp receives could be sent by any HTTP client, not necessarily by a friendly web browser. If someone were so inclined, they could write their own HTTP client to interact with your webapp, that aimed to deliberately submit bad data to your servlet, in which case your JS validation would have been bypassed. What they can't do is bypass your serverside validation (or at least this is much harder). Just one trick that such nasty people might try is to insert JS code in any form fields that you let them create or edit. If this field data is then displayed in other pages of your app, this might cause anyone viewing that page on your site to download a trojan/virus/etc. It's really very easy to do. And this is only one such exploit. There are many others. -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Tuesday 24 May 2005 16:19 To: Tomcat Users List Subject: Re: Validation Frame work Because you should never trust the client. They may not be submitting from your form. Javascript is just a nicety to save the user a whole request/response cycle just to find out a field is missing or wrong. Consider it a security issue. -- David raja buddha wrote: Hi all In struts why do we need validation frame work we have java script to do validations. Is there any extra advantage of using the validation frame work raj _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
