[thelist] Javascript Security Risk was (Stopping a user submitting a form f rom the address bar using JS.)

Timothy Luoma lists at tntluoma.com
Fri Dec 13 08:12:01 CST 2002

On Fri, 13 Dec 2002 08:58:31 -0500, RUST Randal <RRust at COVANSYS.com> wrote:

> They think that client-side validation is enough, and would rather skip
> the server-side validation.
> I disagree with them and want all validation done first on the server-
> side, then we can add client-side validation.

You're right, of course.

The security risk is that if someone wanted to, they could save a copy of
the page, edit it locally, and then submit it.  The danger is only limited
to whatever interaction the data has with other pieces of the puzzle.... if
the form just sends email, it's not a huge risk... if the form lets you
into some area you would want to protect, it could be.


Timothy Luoma

More information about the thelist mailing list