Do all browsers ignore nameless input fields?

Question

Is it guaranteed that a browser doesn't send an input element if it doesn't have the name attribute specified?

For example, can we assume that POSTing the form below won't send the credit card number?

<form action="/process" method="post">
  <input id="credit-card-number" type="text">
  <input type="submit" name="commit" value="Go">
</form>

Impossible to say whether "all browsers" handle the spec correctly. But all browsers that matter do. — jessegavin, Oct 08 '12 at 15:26
What makes you ask this? Prompting for a credit card number *looks* risky, so why would you do that if you don’t want to send it? — Jukka K. Korpela, Oct 08 '12 at 16:33
@JukkaK.Korpela By not sending credit card information to your server the PCI-compliance criteria is significantly dropped. In this case, we validate other order information over AJAX. Once validated, we generate a hidden credit card form on the fly which we send to the gateway provider, thus dodging the huge responsibility. — randomguy, Oct 09 '12 at 13:29

score 11 · Accepted Answer · answered Oct 08 '12 at 15:25

Is it guaranteed that a browser doesn't send an input element if it doesn't have the name attribute specified?

Yes (unless you muck about with JavaScript to change that).

A successful control must be defined within a FORM element and must have a control name.

score 0 · Answer 2 · edited Aug 06 '18 at 19:42

0

The standard says that to send an input it should be a successful "control."

If a control doesn't have a name it's not a successful "control," so it should not be sent.

edited Aug 06 '18 at 19:42

Andre Bulatov

answered Oct 08 '12 at 15:28

2 Answers2