Prevent hyperlinks from being entered into a html form: client-side or server-side validation?

Question

I'm still debating whether I want to do this or not but what I'm considering is preventing users from entering hyperlinks into a HTML form in my app. This is to avoid spammy links from showing up for other uses of the app since the app is based on user generated content.

This is a Rails app, so I could do some backend validations on the model after the form is submitted by the user.

But I was wondering whether it might be preferable to perform the check in jQuery/JavaScript before any submission takes place. This way the user could be notified immediately without any backend processing.

Which would be preferable here - client-side or server-side validation?

Answer 1

You should use both, use jQuery validation plugin on the client, and whatever method is appropriate on the back-end (I don't know ROR).

An ajaxy validation solution could perform server-side validation while the client is inputting information, and provide feedback/prevent submission accordingly.

Hope that helps.

Answer 2

Both............

Answer 3

You only have control over data when it arrives at your server. If you use JavaScript to try to strip out spam, then spammers are just going to turn JavaScript off.

Build a server side solution.

Once you have that, think about duplicating the work client side to make things nicer for users.

Answer 4

Use both.

Client side validation lowers stress on the server when the client has the JavaScript turned on.

Server-side is your last line of defense which should be there for the case the user has JavaScript turned off.

Answer 5

You say :

so I could do some backend validations on the model after the form is submitted by the user.

No ! You must do validations on the backend !

Javascript can be disabled, forms posting can be forged ; so you always need to develop validations / filtering / whatever security measure you want on the backend/server.

Only then, you can eventually add some JS thing, so your application is more user-friendly.

Answer 6

Spammers often uses some kind of script that analyses the form and builds form data and posts on it's own, so client script is totally useless against most spamming.

Answer 7

JavaScript validation is great as a way to hold the hands of non-malicious users. "The passwords you entered don't match", "looks like an invalid e-mail address, please double-check", etc.

The downside of JavaScript is that there is no way to verify that it ran, nor that it ran as intended. A malicious user, or one with a glitchy browser plugin, or one with an overzealous firewall/content blocker, a spambot without JavaScript, a user with NoScript enabled, or any number of other situations can result in your validation never beeing triggered.

As such, your server should always validate data if validation is necessary. JavaScript can be a first line of defence, but it can never be the final one.