23 November 2010

Inline Form Validation

Some form entry errors are due to human mistakes; these may be made worse or more likely by poor design. Can HTML 5 and CSS 3 help? A fairly recent article Forward Thinking Form Validation on A List Apart discusses how the new input types and attributes in HTML 5 combined with CSS 3's basic UI module can be used to guide users on how to complete form fields in real-time, making it less likely for them to make mistakes.

Photograph of a huge crowd attending the first Muse concert at Wembley Stadium in September 2010

The explanation and demonstration are quite compelling, but do read the associated comments. Client-side validation can reduce human error (e.g. typos), and the number of requests submitted to the server with invalid data (see Input Masking at the Web Browser, Don't Stop the Attack (Too Soon), Let Down By Customer Surveys, Email Address Formats, and Input Validation and Output Encoding). See also these recent blog posts elsewhere:

But do not expose all your business logic in client-side validation. For example, checking the general format of the account number would be reasonable, but the detailed validation (including authorisation) checks should only be undertaken server-side. This is because if the session or authorisation checks fail, it is difficult to handle this well dynamically on the form page—do we suddenly display an authentication form? Additional business logic on the client can also introduce new vulnerabilities.

The validation constraints also need to be flexible enough to cater for "valid", "reasonable" and "invalid" values. For example, you may want to store a telephone number without space characters (the valid format), but it is probably unreasonable to impose this on users who may well find it easier to type the spaces (or hyphens and parentheses) as they go. That would be a reasonable value, which client-side validation could allow, but is then accepted and sanitised before storage. When the telephone number is re-displayed it must be encoded appropriately, but it can also be formatted in the most legible way. Space characters apply in a similar way for credit card numbers.

And, always, undertake the same validation checks on the server too.

In my talk at AppSec Washington DC earlier this month (slides and workbook), I used the form validation as an example of how knowledge of any client-side validation may affect the response to data verification failures. In a form without client-side validation, a wide range of user input is not necessarily malicious.

Chart showing a range of unacceptable to acceptable user behaviour for invalid data received by an application with 'Form radio button element item value is not a positive, non zero, integer' well to the unacceptable end of the range, and 'Form TEXT element account code is a string but is the wrong format', 'Form TEXT element password value has trailing white space' and 'Form TEXT element phone number value contains a hyphen character' towards the acceptable end of the range

However, if there is fully enforced client-side format validation, the receipt of invalid data could be more suspicious. This is because a user would have to use special tools to achieve this effect.

Chart showing a range of unacceptable to acceptable user behaviour for invalid data, which has also bypassed client side validation received by an application with the same points as in the previous chart, but they are all now in the unacceptable area except for 'Form TEXT element password value has trailing white space'

The siutuation is different if the data being validation came from another computer system, rather than direct human entry.

All human users will react in different ways to forms, and depending on circumstances, there will be a variety of human errors submitted. Client side validation can help with the user experience but is not a replacement for server-side validation. Knowledge of the validation mechanisms can help make better decisions on the server about the type of response to make. But remember that each browser version may react in different ways, and as before, if you are using any JavaScript for validation, this may be turned off by some users. Humans make programming errors too!

Posted on: 23 November 2010 at 08:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Inline Form Validation
http://www.clerkendweller.com/2010/11/23/Inline-Form-Validation
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2010/11/23/Inline-Form-Validation
Requested by 38.107.179.224 on Thursday, 17 May 2012 at 22:08 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2010-2012 clerkendweller.com