HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

HTML 5 Form Tags a Risk?

I've tried to keep up with new HTML 5 features, but Billy recently pointed out that INPUT tags have the ability to set regular expression patterns for validation directly in the markup. I think this is nifty and, at least in the demo I tried, a very user-friendly and pretty way to inform the user they've put in a bad value. There are also special types for numbers, dates, times, urls, email addresses and more.


However, I think there's a significant risk that we'll see many developers implementing the 'pattern' (and possibly field types) in the markup as the only form of input sanitizing for their application. That may seem ridiculous in this day and age--but you know it's not. We still regularly see people relying on client-side filtering via maxlength attributes or in JavaScript.


This new restriction, with its fancy-pants regular expression, may well give people a false sense of security when it comes to tainted input. As fresh developers and technologies enter the arena, old problems will be slapped with a coat of paint and sold as new. So, when talking to your clients, developers and friends, remember to reinforce the mantra:

                Never rely on client-side security.


What do you think? Will the 'pattern' option and field types help or hinder actual application security?

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Top Kudoed Posts
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.