Samuel Sjöberg's weblog

Skip to navigation

A problem with vForm

As noted in this comment, vForm's verifyRules is broken. Actually, I now think it is broken as designed. I'll explain to you why.

The whole idea is to validate the validation rules on the webpage and compare them with the passed validation rules. The problem is that if you disable javascript and send an empty form, no rules are found, thus verifyRules fails.

What is the solution? I don't really now right now, maybe not use rule-verification? An idea I had earlier was to pass a hash of the rules together with the data. This is cumbersome however because you at some point have to calculate that hash. Also, there is no problem to copy the hash into a malicious form.

We could compare the referral to a page we know hold the rules. But what happens if the referral isn't set? Maybe we should fail then?

A third solution is to make a solution that makes it possible to validate the passed data based on validation rules fetched from a given http-adress. This would be safe, but is against the very nature and reason for vForm to exist.

Maybe the third option is the most reasonable. If it is provided, it is then up to the programmer how to use it. If the rules are kept in a local html-format (i.e., no need to grab the file over a socket) things should speed up.

Well, what do you think is the best option?

Pages linking to this entry

Pingback is enabled on all archived entries. Read more about pingback in the Pingback 1.0 Specification.

About this post

Created 17th December 2005 12:46 CET. Filed under Javascript and DOM.

0 Pingbacks