[RCD] bug report for 0.7.1

A.L.E.C alec at alec.pl
Thu Aug 23 09:44:38 CEST 2012

On 08/23/2012 09:39 AM, Sébastien BLAISOT wrote:
> also, I think that email address validation should not be done by
> javascript alone as it is client side and you can not rely on client
> (javascript can be disable, altered, bypassed or whatever) resulting in
> not validatied addresses sent to php server-side part of the application.

But you know, Roundcube uses javascript very extensively. So,
disabled/altered/bypased or whatever would break Roundcube functionality
at all, not only address validation ;)

> Don't know how it is in roundcube, but I think that mail address
> validation can take place client-side in javascript for better user
> experience but should also be done server-side in php, ensuring outgoing
> mail from roundcube are at least syntaxically correct (and limiting XSS
> vulnerability risks).

And that's how it's implemented in Roundcube ;)

Aleksander 'A.L.E.C' Machniak
LAN Management System Developer [http://lms.org.pl]
Roundcube Webmail Developer  [http://roundcube.net]
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl

More information about the dev mailing list