HTML 5 Form Tags a Risk?

I've tried to keep up with new HTML 5 features, but Billy recently pointed out that INPUT tags have the ability to set regular expression patterns for validation directly in the markup. I think this is nifty and, at least in the demo I tried, a very user-friendly and pretty way to inform the user they've put in a bad value. There are also special types for numbers, dates, times, urls, email addresses and more.


However, I think there's a significant risk that we'll see many developers implementing the 'pattern' (and possibly field types) in the markup as the only form of input sanitizing for their application. That may seem ridiculous in this day and age--but you know it's not. We still regularly see people relying on client-side filtering via maxlength attributes or in JavaScript.


This new restriction, with its fancy-pants regular expression, may well give people a false sense of security when it comes to tainted input. As fresh developers and technologies enter the arena, old problems will be slapped with a coat of paint and sold as new. So, when talking to your clients, developers and friends, remember to reinforce the mantra:

                Never rely on client-side security.


What do you think? Will the 'pattern' option and field types help or hinder actual application security?

| ‎09-22-2009 03:33 AM

On the other hand, this makes it easier for frameworks, CMSs, and the like to implement their server side regular expressions on the client side _as well_, without the need for disperate JavaScript code blocks. Multi-field validation will still require JavaScript code blocks though.

Would help if the pattern attribute is taught/pushed as mandatory as it'll keep developers mindful of validation (and hopefully remind them to validate on the server side if they aren't already!).

Chris Sullo | ‎09-22-2009 03:06 PM

I think the usability of the feature isn't in doubt--I can't remember the number of web applications I've written, but I'm I've only done client side validation (for user-friendliness) on one or two of them.

This will make life easier for users (and maybe even developers), as long as the devs continue to perform proper server side validation.

And yes, not relying on JS is a huge win, IMO.

| ‎10-01-2009 08:26 AM

V3gbAY I want to say - thank you for this!

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.