What a good point, especially as IE becomes harder and harder to secure, people are starting to turn off "active" content, which can include simple innocent js code. I'm a fan of the "lowest common denominator" approach to using HTML and JS features.
> -----Original Message----- > From: Bernhard Slominski [mailto:[EMAIL PROTECTED] > Sent: Wednesday 25 May 2005 13:35 > To: 'Tomcat Users List' > Subject: AW: Validation Frame work > > > I agree with Steve, but there is a much simpler possibility > that the JS > validation does not work: > The user can just switch it off in the browser. > This might not be just to bypass validation, but maybe just > for security > reasons, so for a business critical apllications I'd > discourage anyone from > using it, if you have something like a guestbook, and the > validation fails > and you end up with something like an entry without email > address, so what. > > Bernhard > > > -----Ursprüngliche Nachricht----- > > Von: Steve Kirk [mailto:[EMAIL PROTECTED] > > Gesendet: Dienstag, 24. Mai 2005 20:02 > > An: 'Tomcat Users List' > > Betreff: RE: Validation Frame work > > > > > > David is right, JS and serverside validation perform > > different roles. To > > expand on his comment a bit more, remember that the > requests that your > > webapp receives could be sent by any HTTP client, not > necessarily by a > > friendly web browser. If someone were so inclined, they > > could write their > > own HTTP client to interact with your webapp, that aimed to > > deliberately > > submit bad data to your servlet, in which case your JS > > validation would have > > been bypassed. What they can't do is bypass your serverside > > validation (or > > at least this is much harder). > > > > Just one trick that such nasty people might try is to insert > > JS code in any > > form fields that you let them create or edit. If this field > > data is then > > "displayed" in other pages of your app, this might cause > > anyone viewing that > > page on your site to download a trojan/virus/etc. It's > > really very easy to > > do. And this is only one such exploit. There are many others. > > > > > -----Original Message----- > > > From: David Smith [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday 24 May 2005 16:19 > > > To: Tomcat Users List > > > Subject: Re: Validation Frame work > > > > > > > > > Because you should never trust the client. They may not be > > submitting > > > from your form. Javascript is just a nicety to save the > > user a whole > > > request/response cycle just to find out a field is missing > > or wrong. > > > Consider it a security issue. > > > > > > -- David > > > > > > raja buddha wrote: > > > > > > > Hi all > > > > In struts why do we need validation frame work we have > > java script > > > > to do validations. Is there any extra advantage of using > > > the validation > > > > frame work > > > > > > > > raj > > > > > > > > > _________________________________________________________________ > > > > On the road to retirement? Check out MSN Life Events for > > > advice on how > > > > to get there! > > http://lifeevents.msn.com/category.aspx?cid=Retirement > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: > [EMAIL PROTECTED] > > > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
