On 08/23/2012 09:39 AM, Sébastien BLAISOT wrote:
also, I think that email address validation should not be done by javascript alone as it is client side and you can not rely on client (javascript can be disable, altered, bypassed or whatever) resulting in not validatied addresses sent to php server-side part of the application.
But you know, Roundcube uses javascript very extensively. So, disabled/altered/bypased or whatever would break Roundcube functionality at all, not only address validation ;)
Don't know how it is in roundcube, but I think that mail address validation can take place client-side in javascript for better user experience but should also be done server-side in php, ensuring outgoing mail from roundcube are at least syntaxically correct (and limiting XSS vulnerability risks).
And that's how it's implemented in Roundcube ;)