Wandering Thoughts archives

2006-09-21

The danger of relying on Javascript for input validation

I've run into a few websites that do some of their input validation on forms and the like entirely in Javascript. If you are tempted to do this, please don't; not only is it dangerous to you, it's annoying to users.

It's annoying to users due to what can happen to innocent users who try to use your forms with JavaScript turned off; if your forms are still submittable, the user can wind up unintentionally creating bad data in your system. This is usually very hard for the user to correct afterwards, since (of course) all sorts of things in your system are likely to malfunction in the face of said bad data.

Users, including users not using JavaScript for various reasons, have a rational expectation that if they make mistakes your site will reject them, not damage or destroy their ability to use your site. You break this implicit promise at your peril.

(In this case, being unable to submit the form at all is actually the best outcome, because it clearly tells the user that something is wrong while stopping them from doing any damage.)

For example, I once tried to create an account on such a website. The account creation form asked for your login name and your password; I picked a login and left the password field blank, assuming that either the system would spit an error at me or it would create a random password. Instead, it created the account with a blank password, which it turned out wasn't supposed to be possible, and various bits of the site were not too usable as a result. Including the password change form.

Unsurprisingly, I haven't really been back since.

web/JavascriptCaution written at 23:45:01; Add Comment

An amusingly truthful hostname

We got email today from a machine called 'server1.ghettowebhosting.net' (IP address 72.29.85.194).

It was advance fee fraud spam. Truth in advertising strikes again!

(I have to wonder about the mindset that makes anyone name their business something like that. Especially when they are apparently a branch of 'Complet-Inet', and say they have multiple data centers with OC-48 connections; this doesn't sound too 'ghetto' to me. Of course, their front page also advertises '99% gaurantee uptime' [sic].)

spam/TruthfulHostname written at 17:49:00; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.