tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Kirk" <tomcat-u...@web-startup.co.uk>
Subject RE: Validation Frame work
Date Tue, 24 May 2005 18:01:52 GMT
David is right, JS and serverside validation perform different roles.  To
expand on his comment a bit more, remember that the requests that your
webapp receives could be sent by any HTTP client, not necessarily by a
friendly web browser.  If someone were so inclined, they could write their
own HTTP client to interact with your webapp, that aimed to deliberately
submit bad data to your servlet, in which case your JS validation would have
been bypassed.  What they can't do is bypass your serverside validation (or
at least this is much harder).

Just one trick that such nasty people might try is to insert JS code in any
form fields that you let them create or edit.  If this field data is then
"displayed" in other pages of your app, this might cause anyone viewing that
page on your site to download a trojan/virus/etc.  It's really very easy to
do.  And this is only one such exploit.  There are many others.

> -----Original Message-----
> From: David Smith [mailto:dns4@cornell.edu] 
> Sent: Tuesday 24 May 2005 16:19
> To: Tomcat Users List
> Subject: Re: Validation Frame work
> 
> 
> Because you should never trust the client. They may not be submitting 
> from your form.  Javascript is just a nicety to save the user a whole 
> request/response cycle just to find out a field is missing or wrong. 
> Consider it a security issue.
> 
> -- David
> 
> raja buddha wrote:
> 
> > Hi all
> > In struts why do we need validation frame work  we have java script
> > to do validations. Is there any extra advantage of using 
> the validation
> > frame work
> >
> > raj
> >
> > _________________________________________________________________
> > On the road to retirement? Check out MSN Life Events for 
> advice on how 
> > to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message