Add a guide on input validation#44287
Conversation
github-actions
Bot
added
Content:Security
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…ut-validation-guide * origin/input-validation-guide: Update files/en-us/web/security/defenses/input_validation/index.md
| Users typically provide input using {{htmlelement("input")}} elements in a {{htmlelement("form")}} element on the site's front end, and the input is typically sent to the server as the body of a {{httpmethod("POST")}} request, or as URL parameters appended to a {{httpmethod("GET")}} request. However, input might also arrive on the server via other means, such as cookie values or additional HTTP headers. | ||
|
|
||
| If the input provided by the user doesn't have the form or content that the server expects — for example, if they enter an invalid email address — this can cause the site to malfunction. Catching problems like this as early as possible improves the user's experience. |
There was a problem hiding this comment.
Feels quite server centric. But I do think it is important to highlight both cases of what is effectively catching user error vs malicious usage.
There was a problem hiding this comment.
"server"->"site" change is made in 8290e28, which I agree is better, but otherwise I'm not sure what this comment is asking for.
There was a problem hiding this comment.
What I was saying is that this is about server validation, but there is also validation on the client. Most of that client side validation is really about catching mistakes in user input, while the server testing exists primarily to catch malicious use.
Anyway, it's a bit of a ramble - wasn't really asking for anything except perhaps thinking "this is all about validation, but the client side stuff isn't being mentioned at all". Might be a very reasonable approach.
There was a problem hiding this comment.
But we do talk about client-side validation, a lot, notably in "when to validate" and the whole section on client-side validation. This preamble doesn't really talk about validation at all, on client or server, it's mostly concerned with where input comes from, how to gets into the server, and how bad input can cause problems.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Hamish Willee <hamishwillee@gmail.com>
hamishwillee
force-pushed
the
input-validation-guide
branch
from
14c09c1 to
8202d32
Compare
There was a problem hiding this comment.
@wbamberg It's good structurally and clear. You may find my current suggestions helpful, but I wouldn't block on them - so this is approved but not merged.
Co-authored-by: Hamish Willee <hamishwillee@gmail.com>
Co-authored-by: Hamish Willee <hamishwillee@gmail.com>
3 participants
Adds a new guide page on input validation.