Validators use JavaScript when it is available, but keep in mind that
users can disable JavaScript. To make sure this does not prevent the
Validators from validating the submitted data, validation is performed
server-side as well. Why bother to create the code in both places, you
ask? Well, because when JavaScript is enabled, the server-side validation
will not be executed until the data is valid (except in the case of a
CustomValidator). This means less trips between the client and server. As
for your question as to whether you still need to validate user input at
the server side, the answer is the boring "It depends". What does it
depend on? Well, it depends on what you are validating and what validators
you have. The key questions to ask yourself are:
1. What do I know about the input I am recieving now that it has passed
the test of my validators?
2. What requirements do I need the input to meet in order to be valid?
3. Do I know for sure that the input meets these requirements?
4. What, if any, extra validation do I need to do to the input in order to
be sure it meets these requirements?
Normally, the answer to #4 will be performed in a CustomValidator so that
the error message can be displayed in a friendlier manner if the user
needs to see it and so that you can determine whether the data is valid by
using the Page.IsValid property. As far as the part about attackers, well,
I'm not an expert in that area, so all I can say is validate all input as
strictly as possible (without making the page unattractive to users, of
course), make sure the error message tells the user what is wrong with
their input, and, of course, use all the network safety features on your
network, because an attacker can't run their custom script if they can't
get to your network. Hopefully this information is helpful, and for more
details, you might want to post to one of the security or network
newsgroups. Good Luck!
