[thelist] Javascript Security Risk was (Stopping a user submitting a form f rom the address bar using JS.)
Timothy Luoma
lists at tntluoma.com
Fri Dec 13 08:12:01 CST 2002
On Fri, 13 Dec 2002 08:58:31 -0500, RUST Randal <RRust at COVANSYS.com> wrote:
> They think that client-side validation is enough, and would rather skip
> the server-side validation.
>
> I disagree with them and want all validation done first on the server-
> side, then we can add client-side validation.
You're right, of course.
The security risk is that if someone wanted to, they could save a copy of
the page, edit it locally, and then submit it. The danger is only limited
to whatever interaction the data has with other pieces of the puzzle.... if
the form just sends email, it's not a huge risk... if the form lets you
into some area you would want to protect, it could be.
TjL
--
Timothy Luoma
More information about the thelist
mailing list