Forum OpenACS Development: ad_form - Validate as you type using AJAX

Collapse
1: ad_form - Validate as you type using AJAX
Posted by Ryan Gallimore on 11/22/09 05:46 PM
Hi,

I've added inline AJAX form validation to ad_form.

I was influenced by this article: Inline Validation in Web Forms.

The documentation is here.

Please try out my Test Form and report any bugs.

You can download the source here which includes a patch to packages/acs-tcl/tcl/form-processing-procs.tcl, the full file, a new form template, and the test form scripts.

Enjoy!
Ryan

Collapse
2: Re: ad_form - Validate as you type using AJAX (response to 1)
Posted by Nathan Lunt on 11/22/09 07:48 PM
Nice work, Ryan. It looks like it should "just work" with existing forms. Am I right?
Collapse
3: Re: ad_form - Validate as you type using AJAX (response to 2)
Posted by Ryan Gallimore on 11/22/09 07:51 PM
Yes, absolutely. Just add the new flags mentioned in API Doc, use the new template, and install the ajaxhelper package.
Collapse
4: Re: ad_form - Validate as you type using AJAX (response to 1)
Posted by Dave Bauer on 11/23/09 02:21 AM
Can this be used to access code/database queries without permissions checks? Since the universal url has to be readble but the public in case unregistered users can submit some form, if a validation did a database query lookup it could expose some data or at least the existance of the data, if not the data itself.

Maybe doing a permission check on the ad_conn url based on the key would be good. I am trying to think if there is a more secure way to manage the key. Probably an sha1 hash with of the key and a server secret could not hurt. This way the url of the key could not be edited.

Overall i like the idea. It piggybacks on the server side validation specification which is the right thing to do.

Sometime in the future i'd like to deprecate ajaxhelper, and have a standard JS library based on Yahoo UI, but since I haven't written that yet, I certainly can't complain. It looks like this will gracefully degrade if you don't have javascript enabled it just does the after submit validation.

Collapse
5: Re: ad_form - Validate as you type using AJAX (response to 4)
Posted by Ryan Gallimore on 11/23/09 05:28 PM
Thank you, Dave, for the security insight. I'll add that to my code. I'd also like to add maxlength checking like on form submit.
Collapse
6: Re: ad_form - Validate as you type using AJAX (response to 4)
Posted by Ryan Gallimore on 11/26/09 09:00 PM
I've released a new version of the AJAX validator for ad_form - with a permission check as recommended by Dave Bauer, and maxlength validation.

Please see the documentation for more information.

You can try it out here.

Please post any bugs or suggestions.

-Ryan