Creating DOM elements on the fly - check if the data is not harmful

Question

I already posted a question closely related to the this one. I watched the Mix10 video with P. Haacked and S. Hanselman.

I am building an AJAX-powered site whose input forms are created on the fly.

All the code to accomplish this is done within a script tag or a javascript file. For example the following DOM elements are created when the page loads and are wrapped into an existing div defined in a view:

$('#myform').append('); $('#myform').append('');

When I click the submit button I need to get the values of the input form whose id is 'Name': $("#Name").val() and then I return a Json object: { Name: name };

For this kind of scenario there is no way to use Html.Encode() or AntiXss.HtmlEncode() on the client-side. The only way to check if the input is not harmful is done on the server-side (via a service layer).

This seems a limitation. All is fine if and only if a view has a set of predefined inputs. When it is time to create them on the fly, the situation is different.

Have you thought of that situation guys?

Thanks for the attention you have put on this.

Roland Brussels, Belgium

Answer 1

I'm not sure I fully understand your question, but must point out that client side checks for input harmfulness are worthless anyway - anyone wanting to submit a harmful input will just remove the safety checks. This is probably why there is no client side API to check for them.

As such, why bother with them client side, as you will have to re perform them on the server side? About the only useful nature of the client side check is to warn a user, pre submission, that they are accidentally including harmful code. Is this really something that happens regularly with your users?