Validating ajax search

Is there a way to prevent user from entering <img src=x onerror=alert(test)> script tag to the form? My current search page is using ajax to load search result upon entering on the input field. I have look into sanitize function but still not able to resolve.

I have also installed the plugin: Prevent XSS Vulnerability


Validating JWT in server-to-auth-server scenerio

The main question here is: If you are using a backend server to authenticate a user with a third party provider such as Auth0, do you need to validate the JWT received in this scenerio?

I am looking at the example custom login from Auth0 here:

I see the token is received and the claim information parsed into cookie but it is never validated, is this correct?

validating input widgets

[This may be a well-worn old question — apologies if so, but I have no idea how to search for it.]

First, the background. (This is not the question yet.) Suppose I’ve got a GUI with an input widget where the user can input a number. And suppose I am allowing the user to type on the keyboard; I’m not constraining things utterly with a prescribed selection list, or +/- buttons to merely adjust an existing value.

Among other things, I’ll probably want to validate the user’s input, to ensure it’s in the appropriate range. For example, perhaps the user is entering the desired speed for a motor, which is limited to the range 0 – 1500 RPM.

Now, there are sort of two general approaches to implementing the validation:

  1. Let the user type more or less anything, but after clicking OK, if the input is not valid, pop up a warning dialog to that effect, forcing the user to cancel or try again.

  2. Contrive to not even let the user type an invalid input in the first place.

And I suppose it’s possible to do various combinations, like only allowing digit keys to be typed, but waiting until OK is clicked before checking the actual value.

In the first case, that warning dialog is arguably a nuisance. It’s additional work for the programmer to code it up, and it’s an interruption for the user, who has to stop and think and figure out what to do next. (OK? Cancel? Or what?)

But in the second case, there’s a subtle potential problem, too. Suppose the current value is, say, 160 (which is well within range). Suppose the user wants to change it to 170. Suppose the user chooses to do this by clicking to set the text cursor between the 1 and the 6, and typing 7 and then the forward-delete key to delete the 6.

But of course this means that for a moment the dialog will say 1760, which is out of range, so this input sequence is disallowed.

So in the second case, which seems generally friendlier in many respects, there’s this sort of bizarre hidden constraint on what the user is allowed to type. Occasionally when using such input methods (I wish I could remember a better example), it’s been like a miniature impromptu brainteaser puzzle, to figure out a reasonably minimal sequence of keystrokes sufficient to change the value I have into the value I want, without ever passing through any intermediate states where the instantaneous displayed value is disallowed.

So, now, the questions: (1) Do these two rather different styles of input validation have names? (2) Are there other tradeoffs between them, beyond the two I’ve mentioned? And, (3) if the second method is preferred, is the problem of having to solve occasional little puzzles as I’ve described something that isn’t expected to come up very often, or that users will just have to put up with, or what?

Validating a set of dates in Microsoft Sharepoint

I am trying to validate dates in a task request form that has a column of [Date of Request] (which would be the day that they are adding the task to the main hub.

I, then, want that [Date of Request] to see the [Requested Posting Date] column and not allow it to post a date that is before the [Date of Request].

I have tried everything I can from:

=[Requested Posting Date]<=[Date of Request]  


=[Requested Posting Date]<[Date of Request]  


[Due Date] > [Created]  

and none of those work for what I am trying to do here. I am doing all of these formulas in the validation settings section if that helps. Please help me if you can everything I try fails or just doesn’t do anything, let me know how to resolve this and get it working. Just nothing will affect the date pickers whatsoever they do exactly the same thing no matter what formula I throw in, im completely lost, let me know Thanks!

Validating Phonewords/Vanity Numbers

I am redesigning a system where the user can enter various contact details for associates via a personal details form.

In this form, there is a phone number input field. After a phone number is entered it appears in reading view as a clickable number. So it will dial the number for the user if clicked on.

There are a finite number of characters allowed in the field aside from numbers – hyphens, full stops, spaces, parenthesis, hash key e.t.c

Some people choose to input company contact numbers containing phonewords (or vanity numbers). For example – 18000 Call Sony

However some users are just flying through the form and putting letters in the phone number field that eg 1800 876 5432 (Call After 6) or 1800 876 5432 Ext450

I am trying to design a form that will accept phonewords as viable contacts (converting letters to numbers behind the scenes – and therefore making it diallable) but at the same time run a validation error against other letters/words that cause a system error when entered as part of a dial code.

The current issue is people are entering in a lot of unusable data in there

Phonewords (or vanity numbers)

e.g 1800 Call Sony

attached is an image of phone section of the form

enter image description here

How should I be validating a user’s input?

I would like to validate a user’s input in the most “correct”/conventional approach.

In this case, using the demonstration class below, Test, assume the user is required to enter a String of their choice of which must solely contain letters from the alphabet.

public class Test {      private String aString;      public Test(String theString) {         this.aString = theString;     }      public String getString() {         return this.aString;     }      public void setString(String theString) {         this.aString = theString;     }      public String toString() {         return "aString: " + this.aString;     }      public static void main(String[] args) {         Test p1 = new Test("StringyString");     }  } 

From my minimal knowledge, I see a few options to validate the input

1) Creating a static method as so…:

public static String takeInput() {     Scanner sc = new Scanner(;     System.out.println("Input:");     while (!sc.hasNext("[A-Za-z]+")) {         System.out.println("Try Again");;     }     String word =;     return word; } 

and proceed to calling it within the main method:

Test p1 = new Test(takeInput()); 

2) Making the above method, takeInput(), non-static and calling it within the slightly altered constructor as followed:

public Test() {     this.aString = takeInput(); } 

3) Removing the defined constructor as a whole, validating the input using the non-static takeInput() method and using setString to set the value:

Test p1 = new Test(); String inputString = p1.takeInput(); p1.setString(inputString); System.out.println(p1.getString()); 

Is there a preferred approach towards validating input or an even better one, and if so what makes it “preferred”?

Validating Static resources in a Web Application

Like most web applications mine has static resources that must be part of the deployment or the user receives a 404 response from the server. My thought was to use unit testing to validate two things 1. the resource exists, and 2. the content was not modified. I have tried the following code but it expects (I think) that the files exist in the unit test project.

Solution structure: WebApplicationProject – … – public – file.* – otherfile.* – web.config

WebApplicationProject.Tests – AssetTests.cs

Am I going about this all wrong, should this not be part of a unit test and some other gait on the CI build process (Azure DevOps), or am I missing something super obvious? I’m likely asking the wrong questions and going about this the wrong way, because I know I’m not the first person to want to do something like this.

I’ve read other posts around testing with files, but they all are using test files to drive data for input in some method that consumes the file, or some process that generates a file for comparison. I don’t want to do either of these things.

I have also played with the settings making the file an embedded resource, and to always deploy with the project, but the unit test project still cannot access the file the way I’m going about this.

[TestClass] public class AssetTests {     [TestMethod]     [DeploymentItem(@".\files\file.*")]     public void AwardLetters()     {         string path = Path.Combine(Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "file.*");// gets the working path for the testing dll, no files exist here.         Assert.IsTrue(File.Exists("file.*"), "FAIL: file {0} not found", "file.*");// nothing I have tried has access to the projects static resources     } } 

All results end in a file not found exception so far.

I am open to all suggestions, but if you suggest that I have two copies of the files, please fully explain why this is desirable.

Best practice for validating text input on mobile

I’m designing a mobile application where user can order groceries from different suppliers, each order could have a notes to the supplier. Due to different downstream systems used by different suppliers, for the order notes, some allow 256 characters whereas some only allow 64 characters, also all supplies have restriction of character that no emoji is allowed.

The design is one screen, there is a carousel of suppliers on top that user can switch, with order information below the carousel (e.g. quantity, notes, etc).

We know the message length restriction for each supplier, the issue comes when user has entered, say 160 characters, under the limit allowed by supplier A, then switches to supplier B who only allows 64 characters for order notes.

I’m wondering what could be the best (in term of UX) practice to handle this? The options I could think of are:

  1. highlight the extra characters in the message that’s not allowed for supplier B, and disable the Proceed button, probably show an inline message below the notes field, saying your message is too long.
  2. highlight the extra characters in the message like option 1, but do not disable the Proceed button, when user taps on the button, show an alert saying “please refine your message”.
  3. something else?

The main concern here is, user can switch between supplier with 64 and/or 256 characters limit, I want to communicate to users in a soft way other than modal alert every time they switch supplier.

Thanks for the help!