can html validation using attributes required, pattern etc be bypassed

2178 views html
5

I am using html attributes like required, pattern, min, max, maxlength etc on my form inputs (no JS validation here) and also codeignitor validation in the back-end for for these same rules.

My question: I want to know if and how, this sort of 'html validation' can be beaten. if beatable, does it have any benefit other than being a good UX practice?

EDIT:

"beatable" in the context I am referring to means "can you get around the required attribute by being sneaky?"

answered question

What do you mean "beaten"?

bypassed in an attack, like JS can be 'beaten'.

Yes, of course it can - anyone can inspect the page and all the attributes. Is that what you meant?

i know you can inspect the source . i meant if an attacker can bypass these html constraints such as required or pattern and submit illegal values.

Yes, of course they can - you can delete the attribute and then submit it

got it. so i should have these constraints in php as fallback. you can post an answer, i'll accept. i'm fairly new to this. can you do this by just editing source in inspector? if not,can you give a link about how to "delete the attribute and then submit it"

I'll edit my post

1 Answer

4

This sort of validation is most certainly beatable. You see, with the following code on a form:

<input type="text" required placeholder="Enter your name" />

Then anyone can open up the Inspect menu, delete required, and then submit the form. The way to fix this is to:

  1. Use PHP code to validate your forms, and check the values that way

  2. Or use obfuscated JavaScript code (see my post here, in particular the section about JSF**K).

Either way, this kind of validation is beatable, and even the UX isn't very good as you can't style the error messages.

posted this

Have an answer?

JD

Please login first before posting an answer.