You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Eric Giguere <er...@videotron.ca> on 2005/01/12 20:06:53 UTC
[commons-validator] Problems with Javascript mask validation..plz Help!
Hi all
I have a problemes with the commons-validator 1.1.3 javascript
implementation for validating masks.
I tried to validate user name and password on a form.
For testing purposes, I've set both fields with the same regexp in the
validation.xml file:
^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$
The username get validated ok but not the password. It is possible? Is
the fact that the control shows **** as data (password field) breaks the
validation?
thx a lot
Eric.
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: [commons-validator] Problems with Javascript mask validation..plz
Help!
Posted by Eric Giguere <er...@videotron.ca>.
Hi guys.
Very good point.
So, with all this, I guess there is now no way to define validation
rules for a form but disabling the javascript side only for a single
field (like the password in this case).
Like Niall said, there is no way the engine could know that the
Javascript should not be rendered for a particuliar field, unless it is
specified in the XML. Anyway update planned in this area?
Thx for the help.
Really appreciate it.
Eric.
Niall Pemberton wrote:
>That sounds fine in theory, but I can't see how we could actually implement
>that in reality. When the validation javascript is being rendered there is
>no knowledge of whether the associated form field is a "password" type or
>not and just having the actual validators ignoring password fields isn't
>"shipping with secure best practice" if all the rules (min/max lengths,
>regular expressions etc) are still rendered in the javascript.
>
>Niall
>
>----- Original Message -----
>From: "David Graham" <gr...@yahoo.com>
>To: "Jakarta Commons Users List" <co...@jakarta.apache.org>
>Sent: Thursday, January 13, 2005 8:35 PM
>Subject: Re: [commons-validator] Problems with Javascript mask
>validation..plz Help!
>
>
>
>
>>Even though you tell the user the password rules they still shouldn't be
>>able to see the details of how you're validating the password. I believe
>>validator should ship with the secure best practices implemented by
>>default and make the user enable/disable as they want.
>>
>>David
>>
>>--- Niall Pemberton <ni...@blueyonder.co.uk> wrote:
>>
>>
>>
>>>Even though the current javascript mask validator ignores password
>>>fields
>>>the validation algorithm is still revealed since (in Struts) the
>>>javascript
>>>to call that validator with the appropriate regexp is still generated.
>>>
>>>I also think that we shouldn't restrict what validation can be specified
>>>since whats a "good idea" to do (or not do) depends on the situation:
>>>
>>>1) For "logon forms" I agree as little information as possible should be
>>>given and I would recommend that only two validation checks are made -
>>>a) a
>>>password must be entered (i.e. required) and b) the password entered
>>>must
>>>match that stored against the user.
>>>
>>>2) For creating/changing a password its a different matter, since if
>>>there
>>>are rules such as minimum/maximum lengths or a particular regexp
>>>validation
>>>algorithm - then the user needs to be told what the rules are if they
>>>enter
>>>an invalid password and I don't see a problem with having javascript
>>>validations for this.
>>>
>>>IMO we should remove any restrictions on password validations and just
>>>provide some "best practice" advice.
>>>
>>>Niall
>>>
>>>----- Original Message -----
>>>From: "David Graham" <gr...@yahoo.com>
>>>To: "Jakarta Commons Users List" <co...@jakarta.apache.org>
>>>Sent: Wednesday, January 12, 2005 8:56 PM
>>>Subject: Re: [commons-validator] Problems with Javascript mask
>>>validation..plz Help!
>>>
>>>
>>>
>>>
>>>>Revealing detailed validation algorithms for passwords on the client
>>>>
>>>>
>>>is a
>>>
>>>
>>>>security issue so validator does not allow it by default. Also, you
>>>>should be able to replace [a-zA-Z_0-9] with \w.
>>>>
>>>>David
>>>>
>>>>--- Matt Bathje <mp...@ntsource.com> wrote:
>>>>
>>>>
>>>>
>>>>>Eric Giguere wrote:
>>>>>
>>>>>
>>>>>>Hi all
>>>>>>I have a problemes with the commons-validator 1.1.3 javascript
>>>>>>implementation for validating masks.
>>>>>>I tried to validate user name and password on a form.
>>>>>>
>>>>>>For testing purposes, I've set both fields with the same regexp in
>>>>>>
>>>>>>
>>>the
>>>
>>>
>>>>>>validation.xml file:
>>>>>>^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$
>>>>>>The username get validated ok but not the password. It is
>>>>>>
>>>>>>
>>>possible? Is
>>>
>>>
>>>>>>the fact that the control shows **** as data (password field)
>>>>>>
>>>>>>
>>>breaks
>>>
>>>
>>>>>the
>>>>>
>>>>>
>>>>>>validation?
>>>>>>
>>>>>>
>>>>>>
>>>>>The javascript side of the mask validation only works on fields with
>>>>>type hidden, text, textarea or file.
>>>>>
>>>>>
>>>>>Matt
>>>>>
>>>>>
>>>>>
>>>>>
>>>---------------------------------------------------------------------
>>>
>>>
>>>>>To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>>>>For additional commands, e-mail:
>>>>>
>>>>>
>>>commons-user-help@jakarta.apache.org
>>>
>>>
>>>>>
>>>>>
>>>>__________________________________________________
>>>>Do You Yahoo!?
>>>>Tired of spam? Yahoo! Mail has the best spam protection around
>>>>http://mail.yahoo.com
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: commons-user-help@jakarta.apache.org
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: commons-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>
>>
>>__________________________________
>>Do you Yahoo!?
>>Meet the all-new My Yahoo! - Try it today!
>>http://my.yahoo.com
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: commons-user-help@jakarta.apache.org
>>
>>
>>
>>
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: [commons-validator] Problems with Javascript mask validation..plz Help!
Posted by Niall Pemberton <ni...@blueyonder.co.uk>.
That sounds fine in theory, but I can't see how we could actually implement
that in reality. When the validation javascript is being rendered there is
no knowledge of whether the associated form field is a "password" type or
not and just having the actual validators ignoring password fields isn't
"shipping with secure best practice" if all the rules (min/max lengths,
regular expressions etc) are still rendered in the javascript.
Niall
----- Original Message -----
From: "David Graham" <gr...@yahoo.com>
To: "Jakarta Commons Users List" <co...@jakarta.apache.org>
Sent: Thursday, January 13, 2005 8:35 PM
Subject: Re: [commons-validator] Problems with Javascript mask
validation..plz Help!
> Even though you tell the user the password rules they still shouldn't be
> able to see the details of how you're validating the password. I believe
> validator should ship with the secure best practices implemented by
> default and make the user enable/disable as they want.
>
> David
>
> --- Niall Pemberton <ni...@blueyonder.co.uk> wrote:
>
> > Even though the current javascript mask validator ignores password
> > fields
> > the validation algorithm is still revealed since (in Struts) the
> > javascript
> > to call that validator with the appropriate regexp is still generated.
> >
> > I also think that we shouldn't restrict what validation can be specified
> > since whats a "good idea" to do (or not do) depends on the situation:
> >
> > 1) For "logon forms" I agree as little information as possible should be
> > given and I would recommend that only two validation checks are made -
> > a) a
> > password must be entered (i.e. required) and b) the password entered
> > must
> > match that stored against the user.
> >
> > 2) For creating/changing a password its a different matter, since if
> > there
> > are rules such as minimum/maximum lengths or a particular regexp
> > validation
> > algorithm - then the user needs to be told what the rules are if they
> > enter
> > an invalid password and I don't see a problem with having javascript
> > validations for this.
> >
> > IMO we should remove any restrictions on password validations and just
> > provide some "best practice" advice.
> >
> > Niall
> >
> > ----- Original Message -----
> > From: "David Graham" <gr...@yahoo.com>
> > To: "Jakarta Commons Users List" <co...@jakarta.apache.org>
> > Sent: Wednesday, January 12, 2005 8:56 PM
> > Subject: Re: [commons-validator] Problems with Javascript mask
> > validation..plz Help!
> >
> >
> > > Revealing detailed validation algorithms for passwords on the client
> > is a
> > > security issue so validator does not allow it by default. Also, you
> > > should be able to replace [a-zA-Z_0-9] with \w.
> > >
> > > David
> > >
> > > --- Matt Bathje <mp...@ntsource.com> wrote:
> > >
> > > > Eric Giguere wrote:
> > > > > Hi all
> > > > > I have a problemes with the commons-validator 1.1.3 javascript
> > > > > implementation for validating masks.
> > > > > I tried to validate user name and password on a form.
> > > > >
> > > > > For testing purposes, I've set both fields with the same regexp in
> > the
> > > >
> > > > > validation.xml file:
> > > > > ^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$
> > > > > The username get validated ok but not the password. It is
> > possible? Is
> > > >
> > > > > the fact that the control shows **** as data (password field)
> > breaks
> > > > the
> > > > > validation?
> > > > >
> > > >
> > > >
> > > > The javascript side of the mask validation only works on fields with
> > > > type hidden, text, textarea or file.
> > > >
> > > >
> > > > Matt
> > > >
> > > >
> > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail:
> > commons-user-help@jakarta.apache.org
> > > >
> > > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam protection around
> > > http://mail.yahoo.com
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: commons-user-help@jakarta.apache.org
> > >
> > >
> > >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: commons-user-help@jakarta.apache.org
> >
> >
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Meet the all-new My Yahoo! - Try it today!
> http://my.yahoo.com
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: [commons-validator] Problems with Javascript mask validation..plz Help!
Posted by David Graham <gr...@yahoo.com>.
Even though you tell the user the password rules they still shouldn't be
able to see the details of how you're validating the password. I believe
validator should ship with the secure best practices implemented by
default and make the user enable/disable as they want.
David
--- Niall Pemberton <ni...@blueyonder.co.uk> wrote:
> Even though the current javascript mask validator ignores password
> fields
> the validation algorithm is still revealed since (in Struts) the
> javascript
> to call that validator with the appropriate regexp is still generated.
>
> I also think that we shouldn't restrict what validation can be specified
> since whats a "good idea" to do (or not do) depends on the situation:
>
> 1) For "logon forms" I agree as little information as possible should be
> given and I would recommend that only two validation checks are made -
> a) a
> password must be entered (i.e. required) and b) the password entered
> must
> match that stored against the user.
>
> 2) For creating/changing a password its a different matter, since if
> there
> are rules such as minimum/maximum lengths or a particular regexp
> validation
> algorithm - then the user needs to be told what the rules are if they
> enter
> an invalid password and I don't see a problem with having javascript
> validations for this.
>
> IMO we should remove any restrictions on password validations and just
> provide some "best practice" advice.
>
> Niall
>
> ----- Original Message -----
> From: "David Graham" <gr...@yahoo.com>
> To: "Jakarta Commons Users List" <co...@jakarta.apache.org>
> Sent: Wednesday, January 12, 2005 8:56 PM
> Subject: Re: [commons-validator] Problems with Javascript mask
> validation..plz Help!
>
>
> > Revealing detailed validation algorithms for passwords on the client
> is a
> > security issue so validator does not allow it by default. Also, you
> > should be able to replace [a-zA-Z_0-9] with \w.
> >
> > David
> >
> > --- Matt Bathje <mp...@ntsource.com> wrote:
> >
> > > Eric Giguere wrote:
> > > > Hi all
> > > > I have a problemes with the commons-validator 1.1.3 javascript
> > > > implementation for validating masks.
> > > > I tried to validate user name and password on a form.
> > > >
> > > > For testing purposes, I've set both fields with the same regexp in
> the
> > >
> > > > validation.xml file:
> > > > ^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$
> > > > The username get validated ok but not the password. It is
> possible? Is
> > >
> > > > the fact that the control shows **** as data (password field)
> breaks
> > > the
> > > > validation?
> > > >
> > >
> > >
> > > The javascript side of the mask validation only works on fields with
> > > type hidden, text, textarea or file.
> > >
> > >
> > > Matt
> > >
> > >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
> commons-user-help@jakarta.apache.org
> > >
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: commons-user-help@jakarta.apache.org
> >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: [commons-validator] Problems with Javascript mask validation..plz Help!
Posted by Niall Pemberton <ni...@blueyonder.co.uk>.
Even though the current javascript mask validator ignores password fields
the validation algorithm is still revealed since (in Struts) the javascript
to call that validator with the appropriate regexp is still generated.
I also think that we shouldn't restrict what validation can be specified
since whats a "good idea" to do (or not do) depends on the situation:
1) For "logon forms" I agree as little information as possible should be
given and I would recommend that only two validation checks are made - a) a
password must be entered (i.e. required) and b) the password entered must
match that stored against the user.
2) For creating/changing a password its a different matter, since if there
are rules such as minimum/maximum lengths or a particular regexp validation
algorithm - then the user needs to be told what the rules are if they enter
an invalid password and I don't see a problem with having javascript
validations for this.
IMO we should remove any restrictions on password validations and just
provide some "best practice" advice.
Niall
----- Original Message -----
From: "David Graham" <gr...@yahoo.com>
To: "Jakarta Commons Users List" <co...@jakarta.apache.org>
Sent: Wednesday, January 12, 2005 8:56 PM
Subject: Re: [commons-validator] Problems with Javascript mask
validation..plz Help!
> Revealing detailed validation algorithms for passwords on the client is a
> security issue so validator does not allow it by default. Also, you
> should be able to replace [a-zA-Z_0-9] with \w.
>
> David
>
> --- Matt Bathje <mp...@ntsource.com> wrote:
>
> > Eric Giguere wrote:
> > > Hi all
> > > I have a problemes with the commons-validator 1.1.3 javascript
> > > implementation for validating masks.
> > > I tried to validate user name and password on a form.
> > >
> > > For testing purposes, I've set both fields with the same regexp in the
> >
> > > validation.xml file:
> > > ^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$
> > > The username get validated ok but not the password. It is possible? Is
> >
> > > the fact that the control shows **** as data (password field) breaks
> > the
> > > validation?
> > >
> >
> >
> > The javascript side of the mask validation only works on fields with
> > type hidden, text, textarea or file.
> >
> >
> > Matt
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: commons-user-help@jakarta.apache.org
> >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: [commons-validator] Problems with Javascript mask validation..plz
Help!
Posted by Eric Giguere <er...@videotron.ca>.
thx a lot guys :)
Eric.
David Graham wrote:
>Revealing detailed validation algorithms for passwords on the client is a
>security issue so validator does not allow it by default. Also, you
>should be able to replace [a-zA-Z_0-9] with \w.
>
>David
>
>--- Matt Bathje <mp...@ntsource.com> wrote:
>
>
>
>>Eric Giguere wrote:
>>
>>
>>>Hi all
>>>I have a problemes with the commons-validator 1.1.3 javascript
>>>implementation for validating masks.
>>>I tried to validate user name and password on a form.
>>>
>>>For testing purposes, I've set both fields with the same regexp in the
>>>
>>>
>>>validation.xml file:
>>>^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$
>>>The username get validated ok but not the password. It is possible? Is
>>>
>>>
>>>the fact that the control shows **** as data (password field) breaks
>>>
>>>
>>the
>>
>>
>>>validation?
>>>
>>>
>>>
>>The javascript side of the mask validation only works on fields with
>>type hidden, text, textarea or file.
>>
>>
>>Matt
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: commons-user-help@jakarta.apache.org
>>
>>
>>
>>
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: [commons-validator] Problems with Javascript mask validation..plz Help!
Posted by David Graham <gr...@yahoo.com>.
Revealing detailed validation algorithms for passwords on the client is a
security issue so validator does not allow it by default. Also, you
should be able to replace [a-zA-Z_0-9] with \w.
David
--- Matt Bathje <mp...@ntsource.com> wrote:
> Eric Giguere wrote:
> > Hi all
> > I have a problemes with the commons-validator 1.1.3 javascript
> > implementation for validating masks.
> > I tried to validate user name and password on a form.
> >
> > For testing purposes, I've set both fields with the same regexp in the
>
> > validation.xml file:
> > ^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$
> > The username get validated ok but not the password. It is possible? Is
>
> > the fact that the control shows **** as data (password field) breaks
> the
> > validation?
> >
>
>
> The javascript side of the mask validation only works on fields with
> type hidden, text, textarea or file.
>
>
> Matt
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: [commons-validator] Problems with Javascript mask validation..plz
Help!
Posted by Matt Bathje <mp...@ntsource.com>.
Eric Giguere wrote:
> Hi all
> I have a problemes with the commons-validator 1.1.3 javascript
> implementation for validating masks.
> I tried to validate user name and password on a form.
>
> For testing purposes, I've set both fields with the same regexp in the
> validation.xml file:
> ^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$
> The username get validated ok but not the password. It is possible? Is
> the fact that the control shows **** as data (password field) breaks the
> validation?
>
The javascript side of the mask validation only works on fields with
type hidden, text, textarea or file.
Matt
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org