The danger of relying on Javascript for input validation

September 21, 2006

I've run into a few websites that do some of their input validation on forms and the like entirely in Javascript. If you are tempted to do this, please don't; not only is it dangerous to you, it's annoying to users.

It's annoying to users due to what can happen to innocent users who try to use your forms with JavaScript turned off; if your forms are still submittable, the user can wind up unintentionally creating bad data in your system. This is usually very hard for the user to correct afterwards, since (of course) all sorts of things in your system are likely to malfunction in the face of said bad data.

Users, including users not using JavaScript for various reasons, have a rational expectation that if they make mistakes your site will reject them, not damage or destroy their ability to use your site. You break this implicit promise at your peril.

(In this case, being unable to submit the form at all is actually the best outcome, because it clearly tells the user that something is wrong while stopping them from doing any damage.)

For example, I once tried to create an account on such a website. The account creation form asked for your login name and your password; I picked a login and left the password field blank, assuming that either the system would spit an error at me or it would create a random password. Instead, it created the account with a blank password, which it turned out wasn't supposed to be possible, and various bits of the site were not too usable as a result. Including the password change form.

Unsurprisingly, I haven't really been back since.

Written on 21 September 2006.
« An amusingly truthful hostname
A NFS mount accident on Linux »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Sep 21 23:45:01 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.