BIG WARNING - validation controls appear to be ignored.

From: Andy Fish (ajfish_at_blueyonder.co.uk)
Date: 02/24/05

  • Next message: IPGrunt: "Re: BIG WARNING - validation controls appear to be ignored." 
    Date: Thu, 24 Feb 2005 16:33:01 -0000

    Hi,

    Although I have got to the bottom of this problem, it gave me quite a shock
    to discover how easy it is to write a very unsafe application with .Net
    validators.

    The scenario was this: we wrote and tested an application using validators,
    but when we deployed the app onto a different server, it accepted and
    processed invalid input from the user.

    Turns out that in testing the validators were running client-side. When a
    client-side validator blocks the input there is no postback and hence
    nothing happens on the server. However, if client-side validation is
    disabled for any reason, all control events fire on the server even if the
    page is invalid. If, like me, you were expecting the page processing to
    finish in the event of a validation faliure and not fire button clicks etc,
    you are sadly mistaken. If you use validators, you must check manually
    Page.IsValid in every "click" event.

    I realise this is probably in the documentation (section 34.4b(ii)
    subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will think
    this is obvious, but I'm sure that there must be hundreds of apps out there
    that are unwittingly relying on client-side validation.

    The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDE VALIDATION
    DISABLED. the default configuration could lull you into a false sense of
    security and could lead to shipping an unsafe application.

    Andy

  • Next message: IPGrunt: "Re: BIG WARNING - validation controls appear to be ignored."