Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

JavaScript jQuery Basics (2014) Creating a Password Confirmation Form Perfect

Boaz Keren Gil
Boaz Keren Gil
18,947 Points

Best practice regarding security in jQuery

Hey, Regarding this video, I'm wondering if this is the best way to determine when to enable or disable the submit button. If a person who doesn't have JS enabled press the submit he can just continue forward. Therefore maybe it's good for UX, but there must be some PHP behind to check the inputs on the next page before showing it or else it's useless against any kind of hacking.

Right?

Thanks, Boaz

2 Answers

Sean T. Unwin
Sean T. Unwin
28,690 Points

That's correct. Typically, there would be some kind of checks on the server-side to determine if the form that is submitted is empty, and if not then sanitize the inputted data from the form. If the form that was submitted had empty required fields then the server would probably redirect to the page with the form (the page the user just came from).

It is good practice to attempt to catch any submission requirements in JavaScript before anything is sent to the server. This is good for UX because the pages aren't being refreshed (AJAX not being considered here) as often so the user has a more fluid experience because of reduced latency from client->server communication.

However, as you mentioned, if the user has JavaScript turned off then there needs to be a plan in place on the server to redirect the request if the request has not been fulfilled. The server should always be sanitizing any data sent to it from a form for security.

Redundancy is pretty key here. e.g. Attempt to catch errors in JavaScript before data is sent from client to server. Yet, also check the data once it's been sent to the server as well because the server should never assume that JavaScript is enabled.

Boaz Keren Gil
Boaz Keren Gil
18,947 Points

Thanks for the detailed answer. Made a lot of sense.