Presentation on HTML5 Data Validation Techniques (Input Types, Constraints) for the UC Davis 2011 IT Security Symposium. Accompanying demo code at https://github.com/srkirkland/ITSecuritySymposium
2. Hi! I’m Scott Kirkland Slinging code @ UCDavis for 8 years Currently Sr. Application Architect for the College Of Agricultural and Environmental Sciences Dean’s Office Open source coder https://github.com/srkirkland MvcHtml5, Data Annotations Extensions, ITSecuritySymposium https://github.com/ucdavis UCDArch, Web Applications Co-founded the local .NET User Group
9. Input Validation in Web Forms Ensure user supplied data is Strongly typed Correct syntax Within length boundaries Contains only permitted characters Or that numbers are correctly signed and within range boundaries Is “business rule correct”
10. Client Side Validation Validate data on the client first Provides better feedback to the end user Makes your site feel more responsive Always validate on server-side as well!
11. JavaScript Validation “Current” solution, useful & widely supported (Probably about 95%) Any JavaScript errors and validation disappears Fairly difficult to implement, though libraries help[3]
12. JavaScript Validation: Email Is this a good email regex? [A-Z0-9._%+-]+@[A-Z0-9.-]+[A-Z]{2,4} Yes, except when it isn’t Non-english, some TLDs not covered, no special chars How about this (RFC 2822)? (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[01-080b0c0e-1f2123-5b5d-7f]|[01-090b0c0e-7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[01-080b0c0e-1f21-5a53-7f]|[01-090b0c0e-7f])+)) Allows some crazy stuff, like scott=k@domain.com
19. HTML5 Input Types So, that was pretty cool Simply changing input types can add basic validation Benefits go beyond validation Additive only – no drawbacks
25. Of course, this only works in HTML5 capable browsers Older browsers will ignore these new attributes With JavaScript you can “Polyfill” for “regressive” enhancement
27. Polyfill A polyfill, or polyfiller, is a piece of code (or plugin) that provides the technology that you, the developer, expect the browser to provide natively Generally, you test the browser for a feature. If it is not present natively, use JavaScript to add the feature
28. Develop for tomorrow… today! Great library called Modernizr http://www.modernizr.com/ Helps with feature detection & media queries Allows older browsers to work with Html5 elements Much more
31. Use the new input types They may do data validation for you Make your users happy (iOS & more) They will keep getting better Native experience
32. Constraint Validation Useful for “first line of defense” or backup You should continue to use JavaScript for client validation
33. Recap: Validating Web Forms Makes the experience better for your users Results in better, more reliable data First line of defense against a plethora of vulnerabilities
34.
35. Thanks for listening I’m Scott Kirkland Email: srkirkland@ucdavis.edu Web: http://weblogs.asp.net/srkirkland/ GitHub: Personal: https://github.com/srkirkland/ UCDavis: https://github.com/ucdavis/ Slides and demo: https://github.com/srkirkland/ITSecuritySymposium
Notas del editor
Scott Kirkland has been writing web applications at UC Davis for eight years, currently in his capacity as Senior Application Architect for the College of Agricultural and Environmental Sciences Dean's Office. Scott has also created and released several open-source projects including the architectural framework UCDArch (https://github.com/ucdavis/UCDArch) for developing secure ASP.NET MVC applications at UC Davis, as well as DataAnnotationsExtensions (http://dataannotationsextensions.org) for extending client and server validation in .NET applications. Scott enjoys educating other developers and co-founded the UC Davis .NET User Group and recently led a three day workshop about ASP.NET MVC for several dozen UC Davis developers.
The most common web application security weakness is the failure to properly validate input from the client or environment. This weakness leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection, locale/Unicode attacks, file system attacks and buffer overflows. Data from the client should never be trusted for the client has every possibility to tamper with the data.
“Current” because it isn’t really going to go anywhere, but it is “all we have”Most frameworks don’t come with much in the way of help, and when they do its complex and they contain lots of messy JavaScript.
May not want to use this slide…
Html5 to the rescue?
Type=“text” but what kind of text? HTML5 goes further
Search – assistive technologies like screen reader
Type=“text” but what kind of text? HTML5 goes further
<input type='text' /> Show output, looks like regular text box<input type='email' /> Show output, looks the same, but show how iphone and opera treat it differently. Also, type='email' validates email!Same thing with url <input type='url' />Same with number <input type='number' /> Even can do min/max with number
You could style them independently, different sizes for email, etc
Also tel you get the keypad, number you get a special input tooScreenshots from http://diveintohtml5.org/forms.html
Also tel you get the keypad, number you get a special input tooScreenshots from http://diveintohtml5.org/forms.html
http://miketaylr.com/code/input-type-attr.htmlShow in FF, Chrome, Explorer (nothing breaks with explorer, completely additive)