[Esapi-user] Validation fields with JSF

Kevin W. Wall kevin.w.wall at gmail.com
Wed Feb 24 22:39:42 EST 2010

Jeff Williams wrote:
> Yes - absolutely right. Does the Internet even work anymore without JS?

Most definitely, otherwise Firefox/NoScript would not have the large following
that it does. Generally I find with JS disabled, 80% or so of any particular
site still is usable, just not 100% of it. And the parts that are not  usable
are things that I often don't care about anyhow, such as some advertiser's Flash
commercial, etc. Of course, certain sites are completely useless w/out
JS enabled (e.g., YouTube), but I visit those rarely enough that I've still
not made any exceptions to white-list them. I usually reserve that for trusted
sites such as my bank, etc. But definitely I don't white-list sites that have
user forums.

John Melton wrote:
> Jeff,
> Just a thought ... this might depend on how you define your user group.
> Your point may be true in some settings, but on many sites, you're bound to
> have folks using the site w/ javascript disabled in the browser, which would
> disable the client-side validation protections.  Since many applications
> still have to function under these circumstances, and users that have
> javascript disabled aren't bad per se, I wouldn't say that it's *always* an
> indicator of illegitimate use.

True, but if for example, you require that JS be enabled in the first place
for the form submittal to work at all, they I think that what Jeff wrote:

>>  One quick thought about client-side validation.  If you validate on the
>> client, then legitimate users should **never** generate validation errors
>> on the server.  So if you get one, you can be much harsher with your
>> response.

probably is true. In such cases, if they are legitimate users who have JS
disabled, they won't be able to submit *anything* so if you get something
invalid from them that you also validate with JS you *can* treat them much
harsher, such as invalidating their HTTP session or letting them suck
down a few GB from /dev/zero for awhile. ;-)

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list