Tampering with the client-side validation result

Let's consider the scenario, where we have a nefarious (and clever) user who knows how to short circuit our client-side validation logic. It's JavaScript after all, and it's running in the web browser. There's really nothing to stop a malicious user from throwing our client-side validation logic to the wind. To simulate such a tampering event, we simply need to assign the Boolean value of true to the clientSideValidationResult variable in the contact.go source file like so:

func handleContactButtonClickEvent(env *common.Env, event dom.Event, contactForm *forms.ContactForm) {

  event.PreventDefault()
  clientSideValidationResult := contactForm.Validate()

  clientSideValidationResult = true

  if clientSideValidationResult == true {

    contactFormErrorsChannel := make(chan map[string]string)
    go ContactFormSubmissionRequest(contactFormErrorsChannel, contactForm)

    go func() {

      serverContactFormErrors := <-contactFormErrorsChannel
      serverSideValidationResult := len(serverContactFormErrors) == 0

      if serverSideValidationResult == true {
        env.TemplateSet.Render("contact_confirmation_content", &isokit.RenderParams{Data: nil, Disposition: isokit.PlacementReplaceInnerContents, Element: env.PrimaryContent})
      } else {
        contactForm.SetErrors(serverContactFormErrors)
        contactForm.DisplayErrors()
      }

    }()

  } else {
    contactForm.DisplayErrors()
  }
}

At this point, we have bypassed the real result of the client-side validation, and we are forcing the client-side web application to always green light the contact form validation performed on the client-side. If we were solely performing form validation on the client-side, this would put us in a very bad situation. This is exactly the reason why, we need the second round of validation on the server-side.

Let's open up the web browser and partially fill out the form again, as shown in Figure 7.24:

Figure 7.24: Even after disabling the client-side form validation, the server-side form validation prevents the improperly filled out contact form from being submitted

Note that this time, when the Contact button is clicked, the XHR call is initiated to the Rest API endpoint on the server-side, which returns map of errors in the contact form, as shown in Figure 7.25:

Figure 7.25: The errors map from the server response is populated with an error indicating that the value entered in the email address field has an improper syntax

The second round of validation, performed on the server-side, has kicked in, and it prevented the malicious user from being able to reach home plate and score a run. If the client-side validation is unable to properly function, that incomplete or incorrectly formatted form field will be caught by the server-side validation. This is a major reason, why you should always implement server-side form validation for your web forms.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.178.181