On Tuesday, February 10, 2015 at 9:21:45 PM UTC-8, Ping-0t wrote: > > Hello Again guys, > > I am just wondering if watir checks inputs datatype? I keep on searching > here since this morning but until now I cannot find the answer. Someone > knows? Because I need to know for my task.. > > Thanks again :) > > Helfe >
in HTML forms there are no dataypes, everything is a string. even spinner controls that let you select numbers, date pickers, etc it's ALL a string when you look at the actual HTTP POST traffic. Webpages can implement client side javascript to ensure that the values a user provides fit some particular pattern, anything from being an integer, to a potentially valid e-mail address. and prevent a non-malicious user from submitting data outside given ranges/patterns when using your site as intended. You can easily create tests to validate such things by trying to input 'invalid' values and verifying that the form will not allow you to submit, and provides appropriate messages to tell the user what they did wrong. But do understand ultimately two things. 1) watir has no idea if such client side code exists, and no way to automagically know if an input field has JS code that tries to enforce such a restriction on input to that field. For that matter you would not want watir to prevent you from using an invalid value because that would prevent you from trying to test the form by inputting such values. You need to be able to do any silly thing (or purposely bad thing) that a user might try to do in order to see that the site responds correctly. Also, even if watir could look at the JS and sus out the acceptable range of values for a field, that would not tell you if the code was correctly implementing the story for that form. If we were just to look at the code and test according to what we see, we could potentially tell if the code 'worked right' but would have no idea if it was actually 'doing the right work'. So were such a capability to exist, it would mostly provide a false sense of security instead of having real value. 2) from a more pragmatic 'security geek' standpoint, while such client side JS code is 'nice' from the perspective of a good user experience, it does pretty much ZERO in terms of protecting your webserver and the systems below it from invalid input. That is because it is trivially easy in most cases to 'spoof' such input, particularly where form data may be submitted to something like a REST API. It takes minimal skill to do an 'end-around' on the client side JS code and submit all sorts of malicious crap to your webservers. So please insure that your programmers are also validating inputs at the back end, before trying to make use of any data that comes from the web client. Or better yet, learn how to do such spoofing yourself and include that in your testing. -- -- Before posting, please read http://watir.com/support. In short: search before you ask, be nice. [email protected] http://groups.google.com/group/watir-general [email protected] --- You received this message because you are subscribed to the Google Groups "Watir General" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
