On Oct 25, 2012, at 9:20 AM, Gary McGath wrote:
> On 10/25/12 7:37 AM, Joe Hourcle wrote:
>> You didn't answer the question -- why would you not have some sort of
>> check on the AJAX application (or any application, web or otherwise)
>> to do at least minimal sanity checking on the result of an external
> Because putting the onus of sanity checking on the web page isn't the
> best solution in this case. Of course, it should be set up to handle
> unexpected results sensibly in any case.
and still re-do the validation in the backend.
If the costs to check tainted inputs are minimal, *do* *it*. Even
when the back-end is well designed, there are enough other things
out there that are outside your control.
... like when IE decided to start re-writing 404 and other status
pages unless they happened to be at least 1k ... so even when we *were*
giving informative messages about what was going on, links to report
the problem, etc ... it never made it back to the user.
(and yes, I know, I've officially hit old fogey status by complaining
about changes that IE made more than 10 years ago ... I'm also not a
fan of the <br> tag ... one of the worst mistakes of HTML+)
But for more recent situations ... mobile browsers w/ spotty reception.
Man-in-the-middle attacks ... deep-packet filtering (the firewall
doesn't like some phrase used in the response, so replaces the content
with a 'blocked' message ... they may not be common, but they *do*