tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bernhard Slominski <bernhard.slomin...@zooplus.com>
Subject AW: Validation Frame work
Date Wed, 25 May 2005 12:34:41 GMT
I agree with Steve, but there is a much simpler possibility that the JS
validation does not work:
The user can just switch it off in the browser.
This might not be just to bypass validation, but maybe just for security
reasons, so for a business critical apllications I'd discourage anyone from
using it, if you have something like a guestbook, and the validation fails
and you end up with something like an entry without email address, so what.

Bernhard

> -----Urspr√ľngliche Nachricht-----
> Von: Steve Kirk [mailto:tomcat-user@web-startup.co.uk]
> Gesendet: Dienstag, 24. Mai 2005 20:02
> An: 'Tomcat Users List'
> Betreff: RE: Validation Frame work
> 
> 
> David is right, JS and serverside validation perform 
> different roles.  To
> expand on his comment a bit more, remember that the requests that your
> webapp receives could be sent by any HTTP client, not necessarily by a
> friendly web browser.  If someone were so inclined, they 
> could write their
> own HTTP client to interact with your webapp, that aimed to 
> deliberately
> submit bad data to your servlet, in which case your JS 
> validation would have
> been bypassed.  What they can't do is bypass your serverside 
> validation (or
> at least this is much harder).
> 
> Just one trick that such nasty people might try is to insert 
> JS code in any
> form fields that you let them create or edit.  If this field 
> data is then
> "displayed" in other pages of your app, this might cause 
> anyone viewing that
> page on your site to download a trojan/virus/etc.  It's 
> really very easy to
> do.  And this is only one such exploit.  There are many others.
> 
> > -----Original Message-----
> > From: David Smith [mailto:dns4@cornell.edu] 
> > Sent: Tuesday 24 May 2005 16:19
> > To: Tomcat Users List
> > Subject: Re: Validation Frame work
> > 
> > 
> > Because you should never trust the client. They may not be 
> submitting 
> > from your form.  Javascript is just a nicety to save the 
> user a whole 
> > request/response cycle just to find out a field is missing 
> or wrong. 
> > Consider it a security issue.
> > 
> > -- David
> > 
> > raja buddha wrote:
> > 
> > > Hi all
> > > In struts why do we need validation frame work  we have 
> java script
> > > to do validations. Is there any extra advantage of using 
> > the validation
> > > frame work
> > >
> > > raj
> > >
> > > _________________________________________________________________
> > > On the road to retirement? Check out MSN Life Events for 
> > advice on how 
> > > to get there! 
> http://lifeevents.msn.com/category.aspx?cid=Retirement
> > >
> > >
> > > 
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: 
> tomcat-user-help@jakarta.apache.org
> > >
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> > 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message