Validators use JavaScript when it is available, but keep in mind that users
can disable JavaScript. To make sure this does not prevent the Validators
from validating the submitted data, validation is performed server-side as
well. Why bother to create the code in both places, you ask? Well, because
when JavaScript is enabled, the server-side validation will not be executed
until the data is valid (except in the case of a CustomValidator). This
means less trips between the client and server. As for your question as to
whether you still need to validate user input at the server side, the answer
is the boring "It depends". What does it depend on? Well, it depends on what
you are validating and what validators you have. The key questions to ask
yourself are:
1. What do I know about the input I am recieving now that it has passed the
test of my validators?
2. What requirements do I need the input to meet in order to be valid?
3. Do I know for sure that the input meets these requirements?
4. What, if any, extra validation do I need to do to the input in order to
be sure it meets these requirements?
Normally, the answer to #4 will be performed in a CustomValidator so that
the error message can be displayed in a friendlier manner if the user needs
to see it and so that you can determine whether the data is valid by using
the Page.IsValid property. As far as the part about attackers, well, I'm not
an expert in that area, so all I can say is validate all input as strictly
as possible (without making the page unattractive to users, of course), make
sure the error message tells the user what is wrong with their input, and,
of course, use all the network safety features on your network, because an
attacker can't run their custom script if they can't get to your network.
Hopefully this information is helpful, and for more details, you might want
to post to one of the security or network newsgroups. Good Luck!
