Client side validation of a post request?

Question

I have a text box on a page, and when the user clicks "Submit" I grab the text field and post it with jQuery like this:

$("#text_submit").submit(function(event)){
    user_text = $("input#user_text").val();
    $.post("/create/", { text : user_text }, function(data){
         //display response from server on the page;
    });
    event.preventDefault();
});

Then on the server side I'll validate the text (it's supposed to be a URL) and return a response.

Is it safe to post whatever the user puts in the text box to the server? Do I need to do any client-side validation of the user's text?

This is not a security question. All security validation must be done server side. — rook, Mar 20 '11 at 18:53

score 2 · Accepted Answer · edited May 23 '17 at 12:04

2

I disagree with the above posts that server side is a double check or a secondary measure. Server side validation is the only measure. Client-side validation can be bypassed. Javascript can be disabled.

I think of client-side validation as more helpful for the user. It prevents having to POST for simple malformed data errors and provides instant feedback to the user on mistakes.

For security though, server-side validation is all you can rely on.

Also see: JavaScript: client-side vs. server-side validation

edited May 23 '17 at 12:04

Community

1
1

answered Mar 20 '11 at 00:51

mfanto

14,168
6
51
61

Thanks - that was what I'd thought as well. I also just discovered HTML5 form validation - that will help for a large minority of users. – Kevin Burke Mar 20 '11 at 01:01
Client side validation definitely has it's role, but server-side is what matters IMHO. Here's a cool tool that acts as a proxy and lets you modify POST values, bypassing javascript validation: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project – mfanto Mar 20 '11 at 01:08

score 1 · Answer 2 · answered Mar 20 '11 at 00:45

1

It depends on what the content and how you want to validate it. I would always validate first on the client and validate on the server as a secondary measure if javascript is turned off.

answered Mar 20 '11 at 00:45

Daniel A. White

187,200
47
362
445

You can't really use AJAX if JavaScript is turned off... ;) – Yahel Mar 20 '11 at 00:49
@yc yeah but you can still send custom requests. Such as tamperdata/burp. – rook Mar 20 '11 at 18:55

score 0 · Answer 3 · answered Mar 20 '11 at 00:47

As a general rule of thumb (at least in security) you should trust no user, so I think it would be the wise choice to validate the data client-side (it's also faster) and then, if the first validation passed, validate it server-side, to "double-check" (or to have a safety net if the user has Javascript turned off, something you don't see THAT often).

Client side validation of a post request?

3 Answers3