Client side validation of a post request?

Question

I have a text box on a page, and when the user clicks "Submit" I grab the text field and post it with jQuery like this:

$("#text_submit").submit(function(event)){
    user_text = $("input#user_text").val();
    $.post("/create/", { text : user_text }, function(data){
         //display response from server on the page;
    });
    event.preventDefault();
});

Then on the server side I'll validate the text (it's supposed to be a URL) and return a response.

Is it safe to post whatever the user puts in the text box to the server? Do I need to do any client-side validation of the user's text?

Answer 1

I disagree with the above posts that server side is a double check or a secondary measure. Server side validation is the only measure. Client-side validation can be bypassed. Javascript can be disabled.

I think of client-side validation as more helpful for the user. It prevents having to POST for simple malformed data errors and provides instant feedback to the user on mistakes.

For security though, server-side validation is all you can rely on.

Also see: JavaScript: client-side vs. server-side validation

Answer 2

It depends on what the content and how you want to validate it. I would always validate first on the client and validate on the server as a secondary measure if javascript is turned off.

Answer 3

作为一般经验法则（至少在安全性方面），您应该不信任任何用户，因此，我认为这是明智的选择，即验证数据客户端（也更快），然后，如果通过了第一个验证，则对其进行验证服务器端进行“仔细检查”（如果用户关闭了Javascript，则需要建立安全网，这在您经常看不到）。