Forum OpenACS Development: ad_form - Validate as you type using AJAX

Hi,

I've added inline AJAX form validation to ad_form.

I was influenced by this article: Inline Validation in Web Forms.

The documentation is here.

Please try out my Test Form and report any bugs.

You can download the source here which includes a patch to packages/acs-tcl/tcl/form-processing-procs.tcl, the full file, a new form template, and the test form scripts.

Enjoy!
Ryan

Collapse
Posted by Nathan Lunt on
Nice work, Ryan. It looks like it should "just work" with existing forms. Am I right?
Collapse
Posted by Ryan Gallimore on
Yes, absolutely. Just add the new flags mentioned in API Doc, use the new template, and install the ajaxhelper package.
Collapse
Posted by Dave Bauer on
Can this be used to access code/database queries without permissions checks? Since the universal url has to be readble but the public in case unregistered users can submit some form, if a validation did a database query lookup it could expose some data or at least the existance of the data, if not the data itself.

Maybe doing a permission check on the ad_conn url based on the key would be good. I am trying to think if there is a more secure way to manage the key. Probably an sha1 hash with of the key and a server secret could not hurt. This way the url of the key could not be edited.

Overall i like the idea. It piggybacks on the server side validation specification which is the right thing to do.

Sometime in the future i'd like to deprecate ajaxhelper, and have a standard JS library based on Yahoo UI, but since I haven't written that yet, I certainly can't complain. It looks like this will gracefully degrade if you don't have javascript enabled it just does the after submit validation.

Collapse
Posted by Ryan Gallimore on
Thank you, Dave, for the security insight. I'll add that to my code. I'd also like to add maxlength checking like on form submit.
Collapse
Posted by Ryan Gallimore on
I've released a new version of the AJAX validator for ad_form - with a permission check as recommended by Dave Bauer, and maxlength validation.

Please see the documentation for more information.

You can try it out here.

Please post any bugs or suggestions.

-Ryan