What only relying on JavaScript for HTML form input validation looks like

"enter Phone number"
"numbers not allowed"

Finally I have something to rant about.

Your move, human...

Never trust the user with input...

Javascript Input validation

Worst legacy experience...

Called in by a client who had had a pen test on their website and it showed up many, many security holes. I was tasked with coming in and implementing the required fixes.

Site turned out to be Classic ASP built on an MS Access database. Due to the nature of the client, everything had to be done on their premises (kind of ironic but there you go). So I'm on-site trying to get access to code and server. My contact was *never* at her desk to approve anything. IT staff "worked" 11am to 3pm on a long day. The code itself was shite beyond belief.

The site was full of forms with no input validation, origin validation and no SQL injection checks. Sensitive data stored in plain text in cookies. Technical errors displayed on certain pages revealing site structure and even DB table names. Server configured to allow directory listing in file stores so that the public could see/access whatever they liked without any permission or authentication checks. I swear this was written by the child of some staff member. No company would have had the balls to charge for this.

Took me about 8 weeks to make and deploy the changes to client's satisfaction. Could have done it in 2 with some support from the actual people I was suppose to be helping!! But it was their money (well, my money as they were government funded!).

I was taking an introductory programming course. One assignment was to do a little payroll program, including some data validation. The program was supposed to accept terminal input and send output back to either the console or a printer.

Suddenly the printer began spewing out paper like crazy. One of the students (a particularly mouthy woman) had programmed a less-than-helpful error message ("YOU ARE WRONG") and then not provided any exit from the error-checking logic -- the program just re-read the last (failing) input and re-tested it. All in all, it was a very nice infinite loop.

After spitting through about fifty pages of "YOU ARE WRONG," somebody cut power to the printer, and the instructor had to flush the print queue manually. He went back to the student and asked if she had tested the program by sending the output to the console before trying to print it, and she said, yes, she had tested it on the console and ended up with a screen full of "YOU ARE WRONG" messages. Why, then, had she sent her output to the printer? "I thought I would be daring!"

Root gets ignored.

I've been working on this monster ticket for a week and a half now (five days plus other tickets). It involves removing all foreign keys from mass assignment (create, update, save, ...), which breaks 1780 specs.

For those of you who don't know, this is part of how rails works. If you create a Page object, you specify the book_id of its parent Book so they're linked. (If you don't, they're orphans.) Example: `Page.create(text: params[:text], book_id: params[:book_id], ...)` or more simply: `Page.create(params)`

Obviously removing the ability to do this is problematic. The "solution" is to create the object without the book_id, save it, then set the book_id and save it again. Two roundtrips. bad.

I came up with a solution early last week that, while it doesn't resolve the security warnings, it does fix the actual security issue: whitelisting what params users are allowed to send, and validating them. (StrongParams + validation). I had a 1:1 with my boss today about this ticket, and I told him about that solution. He sort of hand-waved it away and said it wouldn't work because <lots of unrelated things>. huh.

He worked through a failed spec to see what the ticket was about, and eventually (20 minutes later) ran into the same issues Idid, and said "there's no way around this" (meaning what security wants won't actually help).

I remembered that Ruby has a `taint` state tracking, and realized I could use that to write a super elegant drop-in solution: some Rack middleware or a StrongParams monkeypatch to mark all foreign keys from user-input as tainted (so devs can validate and un-taint them), and also monkeypatch ACtiveRecord's create/save/update/etc. to raise an exception when seeing tainted data. I brought this up, and he searched for it. we discovered someone had already build this (not surprising), but also that Ruby2.7 deprecates the `taint` mechanism literally "because nobody uses it." joy. Boss also somehow thought I came up with it because I saw the other person's implementation, despite us searching for it because I brought it up? 🤨

Foregoing that, we looked up more possibilities, and he saw the whitelist+validation pattern quite a few more times, which he quickly dimissed as bad, and eventually decided that we "need to noodle on it for awhile" and come up with something else.

Shortly (seriously 3-5 minutes) after the call, he said that the StrongParams (whitelist) plus validation makes the most sense and is the approach we should use.

ffs.
I came up with that last week and he said no.
I brought it up multiple times during our call and he said it was bad or simply talked over me. He saw lots of examples in the wild and said it was bad. I came up with a better, more elegant solution, and he credited someone else. then he decided after the call that the StrongParams idea he came up with (?!) was better.

jfc i'm getting pissy again.

Rather than singling out one person, I wanna present what I see as incompetent/stupid/ignorant:
- no will to learn
- failure to follow the very specific instructions & later asking for help when they FUBR sth & not even knowing what they did to fuck up in the first place
- asking how to solve stuff, then ignoring the suggestions & doing sth totally against recommendations
- failure to remember most basic stuff, especially if not writing it down to look at later when needed
- failure to check logs & 'google' stuff before asking why something isn't working the way they want it
- after two weeks, asking me how feature xy works, mind you they coded it, not me
- asking me why they did something in a specific way - WTF, am I a mind reader?! Who designed that crap?! Me or you?!!
- being passive/aggressive & snarky when told to do something or being asked why isn't it done already
- not testing their shit properly
- not making backups when upgrading (production) servers
- not checking the input value, no validation.. even after many many debacles on production with null ref exceptions
- failure to admit they fucked up
- not learning from (their) mistakes

Recently started at a new job. Things were going fine, getting along with everyone, everything seems good and running smoothly, a few odd things here and there but for the most part fine.

Then I decided to take a look at our (public facing) website... What's this? Outdated plugins from 2013? Okay, that's an easy fix I guess? All of these are free and the way we're using them wouldn't require a lot of refactoring...

Apparently not. Apparently, we can't even update them ourselves, we have to request that an external company does it (which we pay, by the way, SHITELOADS of money to). A week goes past, and we finally get a response.

No, we won't update it, you'll have to pay for it. Doesn't matter that there's a CVE list a bloody mile long and straight up no input validation in several areas, doesn't matter that tens of thousands of users are at risk, pay us or it stays broken. Boggles the fuckin' mind.

I dug into it a bit more than I probably should have (didn't break no laws though I'm not a complete dumbass, I just work for em) and it turns out it's not just us getting fucked over, it's literally EVERYONE using their service which is the vast majority of people within the industry in my country. It also turns out that the entirety of our region is running off a single bloody IP which if you do a quick search on shodan for, you guessed it, also has a CVE list pop up a fuckin' mile long. Don't get me started on password security (there is none). I hate this, there's fucking nothing I can do and everyone else is just fine sitting on their hands because "nobody would target us because we're not a bank!!", as if it bloody matters and as if peoples names, addresses, phone numbers and assuming someone got into our actual database, which wouldn't be a fuckin' stretch of the imagination let me tell you, far more personal details, that these aren't enticing to anyone.

What would you do in my situation?
What can I even do?
I don't want to piss anyone senior off but honestly, I'm thinkin' they might deserve it. I mean yeah there's nothing we can do but at least make a fuss 'cause they ain't gunna listen to my green ass.

We (as new hires) had to add a fallback logic for input validation on every input element using only JSP and Spring controllers just because the client still uses IE6 and fucking disables Javascript!!

I might be fucked up, but I have a tendency to gravitate towards the shit that everyone else dislikes for the sake of knowing if their bias against is actually because shit is truly fucked up or if shit is legit plain WRONG.

From all technologies that I have worked with professionally I can count:

Java(currently in the form of old JSP services for an "enterprise level application")

Java for Android development - i was the lead engineer for a mobile project

Swift with IOS dev, same gig as the above.

C++ for Android development in the form of OpenCV with Java as well.

Javascript in all possible forms, basic input validation, ajax services, jquery datatables, jquery animations and builders.

Css/sass heavily

Clojure for an ldap active directory application

Python for glue scripts

Classic ASP with JScript and VBScript

VB Net forms

C# For ASP.NET MVC

Bootstrap for multiple intranet frontends

Node+Express for a logistics warehouse management tool

Ruby on Rails freelancing small gigs

Php in all ways possible from complete standalone php apps to Laravel and just php+composer apps aaaaall the way to wordpress

Django consulting

I have found that the one that I dislike the most is wordpress. And the one that I like working with the most is Node. Don't know why, i just do really fucking like messing around with Javascript, the language has changed a fuckload throughout the years and continues to increase and change. It was my first scripting language following a stint in me trying to learn cpp way when i was starting and royally FAILING

Never really got the hate for it, even when I used JScript with classic ASP i just enjoy working with Javascript a lil too much. And from all the above mentioned stacks safe from Php is the one, or one of the ones in which i don't royally suck :V

Woke up this morning to a fucking giant snowstorm and my first reaction was 'fml' , poured some coffee , lit a smoke and started checking my work mail 'Issue xxxx response : Not solvable '...what the...I go through the files on my phone , look at what that issue was : lack of proper validation , filtering and encoding of input thus enabling xss . Not solvable my ass ...simply adding literally 3 more characters to that fucking retarded filter would stop all the bypasses . This issue is a showstopper for their project and that is what they answer ?
Sorry to indians out here but some of your colleagues are as stupid and unimaginative as they can possibly ever come .

I coded the app so good
I optimized the UX SO GOOD
I made the UI look GOOD
I made the error handling and input validation ROCK HARD SOLID BULLETPROOF

NO FUCKING WAY COULD YOU FUCK THIS UP

NO WAY COULD YOU BE DUMB ENOUGH NOT TO KNOW HOW TO USE IT AND NOT FUCK IT UP

I GAVE IT TO MY DAD AS A NORMAL USER TO TEST THE APP AND HE FUCKED IT UP ON THE FIRST TRY

HE DIDNT UNDERSTAND THE UX.

.

Putty remote executuon vulnerability(no patch yet)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to unspecified input validation error when processing data, received from SSH server. A remote attacker can trick the victim to connect to a specially crafted SSH server and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

'17:15' < '09:45' === false
'5:15pm' < '9:45am' === true

I either need a language with a stronger type system, or coworkers who understand that comparing raw time input in validation is a bad idea 😡

I just created a free Spotify account using the email spotify@spotify.com. The leisurely breeze that is the input validation team's work at Spotify.

About to punch Android studio in the face! My SYNTAX IS CORRECT!!!! 😡😡😡😡

Only because i write validation for your input does not mean you can shut down your brain.

Looking for a second opinion/validation.

*Me: “Perhaps this simple and concise way to ensure the user doesn’t lose their data before they leave the page that requires non-zero yet minimal input from the user. (Read: ya gotta push a save/submit button)”

*Everyone else: Let’s pretend to read the user’s mind and perform relatively complicated functions behind the scenes, of which the user will most likely be unaware, that will add an undetermined amount of complexity to the development because we think it’s “where things are going,” by saving the value of a certain HTML element as it loses focus.

Edit: this is an exclusively-internally used app.

Not adding input validation to that one page that time.

I knew my users were bad. I knew they'd fuck up. But I trusted the spec I trusted them.

Never again.

!rant
We were finishing another sprint of our grocery shop site at school and it was time for a demo.
There we are, showing our work before the other students. Our teams have a healthy habit of always checking each other not to leave some stoopid mistakes in the final versions, so everybody always regExes and validates THE SHIT out of every input field, both in the view and on the server side. But this one team found out that sometimes it's not enough.

Like every team, they're asked to buy a negative value from their shop. The guy clicks through the process, buys exactly -1 of a banana. He clicks the button to purchase and the site returned "Added banana to the cart!" and we're like "haha n00bz". But someone asked them to show the cart and everyone stopped immediately.

There were 9999 bananas in the cart.

Turns out the member responsible for purchase validation made it add 10000 if the quantity of a bought product was negative.
To this day I can't understand why he did that. xD

What the hell is wrong with the browser on iOS....
For Christ sakes almost no input attributes work. I have a Sign Up feature that validates passwords with a pattern attribute; doesn't work, required attribute; doesn't work, input type number; doesn't work.
What the fuck is wrong with this thing. Even Internet Explorer knows what those attributes means. Absolute joke now i need to implement it manually. Fuck off apple.

Amount of text you need to read to do something the framework way.
At the end it turns out you can’t do it cause nobody thought about it and it’s just another piece of crap for doing simple things. You start digging inside framework code and see that something is wrong. You see copyright Google and you wonder if they have phd for selling their ass on street. Why the fuck you override the validation flag to true every time ?
Then you start invoking couple of methods and one of them works and stops that madness but you don’t know why but you proceed further so you can glue shits together to stop the ship sinking.
At the end after you’ve tried all the “simple” examples that works cause they’re stupid and you need something special you start to think if this framework is so unique and special cause it covers 90% of things, left you with hands full of crap ?
At the end after wasting whole day to change the border color of the input using couple of separate controls the framework way and when you succeeded you ask yourself really ?
One fucking event emit and couple of listeners with style change ? Damn you frameworks with your bidirectional easy fast doing shit.
Another day in paradise.

Just saw an article on facebook about client side form validation with js.
It had just one example:
<code>
function checkInput()//called with onClick on send button
username = document.getElentByID("username");
password = document.getElentByID("password");

if(username == ""){
alert("Username cannot be empty");
return;
}
if(password == ""){
alert("Password cannot be empty");
return;
}
this.form.send();
</code>
I recommended using <input [...] required="required">

The site it linked to had about 7 ads (I got redirected to "your phone has been infected" kibd of malware site twice) and a pop-up requireing you to sign up to their newsletter to see the article.

So here I am debugging a factory in an algorithm I didn't write in a library I didn't write all so I can jam an exception throw into the code to handle input validation.

I am being forced to use exception handling. To handle input validation.

What is my life? It wasn't supposed to be this way. I was supposed to work with smart people who do smart things. Why?

When you work on a project for months, the newly appointed tech lead says "we all (him, the boss and other colleagues not involved in this project) looked at your code and decided that it should be dropped and we are starting from scratch again....now I'm not against code review (which we never did) so I welcome the input but allow me to vent my frustrations about how this is being done. Also to have a review & verdict without me being present?

So I ask what was so wrong:
* You changed the database structure. Valid, I tried to make your db an actual db with relationships, so I added some foreign keys, delete fields that were never used, all because they told me to use an ORM.
* You used to much logic in setters, validation etc, valid again but this would be something we could look at and fix imho.
* You are passing classes in your constructor, valid I wanted to use DI to make unit testing possible. Ohh but I don't like unit testing so I don't see the point and it makes it to complicated was the response.

So not only was the project cancelled, the new iteration is being developed without me, I'm shunned from all meetings. Ohh and from what I see they are now using 5 tables instead of 25 and completely started the db model from scratch...