Creating Clean Code and Well Made Forms

Here are some basic rules for creating good forms for the Web:

• Validate all user input. Don’t think about it. There is no need to ask if there is any reason to validate the input. Input that has not been validated represents vulnerability.
• Check any user input that will be echoed back to the user for character patterns that will be interpreted by the browser. For instance the <script> tag. Any such user input should be encoded such that characters with special meaning to browsers are escaped before echoing the data back to the user.
• Do not display raw error messages to the user. They can be used to gain knowledge about the internals of your application.
• Make important functions such as password changes two step processes. In other words, implement an “Are you sure” feature. More specifically, ensure that at least two HTTP requests must be sent to the server before the application will process the command. Features that only require one form submission (one HTTP request) are vulnerable to Cross Site Request Forgery (CSRF/XSRF). This attack is carried out behind the scenes and is not easily detected.

Here are a few basic rules for creating any good Web page

• Check for cross browser compatibility. Yes, it takes a few minutes, but a few minutes during creation are going to save hours later. Just think of all of the phone calls you WON'T have to take and troubleshoot.
• The content is the whole reason for creating a page. A page without good content is not worth the time it takes to create.
• Good design is also very important. The value of good design, good user interface, useful graphics and white space, these things are often ignored as less important. Often good content experts and programmers are not good designers. Partner with a design group that understands usability and is willing to work with you for a better all around product that will be useful and actually used.

Return to the Scriptorium home page