I am coming to the conclusion that masking things behind client side JavaScript to keep it "secure" or safe is not a good idea if you want to keep things safe. Seriously folks, "No Script" have you heard of it?
Will try to learn more to communicate it out. If you have a site, please don't rely on this to keep your content safe... People with a browser and some know how can poke at things, and most likely will.
-Paul
JavaScript input validation is basically a security hole for bad and newbie developers. They put so much effort and testing into the code that they forget it is just for the convenience of honest users. All that effort is entirely wasted when they then think that the messages coming out are trusted.
ReplyDeleteJavaScript is the rope you get to hang yourself with if you think it replaces solid server-side input validation!
This is also why I am compelled to craft some inputs whenever I'm faced with robust client side validation. Gotta check it out.