[cgiapp] Persistence
Joshua Miller
unrtst at gmail.com
Fri Feb 8 14:15:08 EST 2008
Slightly offtopic plug... there's no extra work to do javascript validation
if using Data::FormValidator for your validation.
http://search.cpan.org/~markstos/Data-FormValidator-4.57/
http://developer.berlios.de/projects/formvalidatorjs/
Makes the user experience much better when they don't have to post data to
your server just to figure out if they formatted their dates correctly and
such.
--
Josh I.
On Feb 8, 2008 10:28 AM, Michael Peters <mpeters at plusthree.com> wrote:
>
>
> Ron Savage wrote:
> > On Wed, 2008-02-06 at 17:16 -0500, Michael Peters wrote:
> >
> > Hi Michael
> >
> >> This is why escaping any data that could potentially come from a user
> is so
> >> important.
> >
> > Not just escaping. OP should be warned that server code cannot just rely
> > on Javascript-base validation. Someone might disable Javascript and
> > sumbit something nasty. That means the validation should be duplicated
> > on the server too. And yes, that's a PITA.
>
> Very true. In fact, I almost never do Javascript validation because of
> this. Why
> duplicate my effort? But, it's important to remember that unless you're
> allowing
> your users to submit HTML or JS code, validation is not what prevents XSS.
> It's
> output encoding:
>
>
> http://www.oreillynet.com/onlamp/blog/2005/10/repeat_after_me_lack_of__outpu.html
>
> --
> Michael Peters
> Developer
> Plus Three, LP
>
>
> ##### CGI::Application community mailing list ################
> ## ##
> ## To unsubscribe, or change your message delivery options, ##
> ## visit: http://lists.openlib.org/mailman/listinfo/cgiapp ##
> ## ##
> ## Web archive: http://lists.openlib.org/pipermail/cgiapp/ ##
> ## Wiki: http://cgiapp.erlbaum.net/ ##
> ## ##
> ################################################################
>
>
More information about the cgiapp
mailing list