HTML5 brought about several new elements and attributes that we didn’t have in HTML4.
Some of those elements being aside, article, and dialog. For a complete listing, you can review them here: http://www.w3schools.com/html/html5_new_elements.asp
One of the improved features of forms in HTML5 is the form validation. Previously, in HTML4, developers would have to code JavaScript client side validation in order to make sure all fields had input. It could be a tedious task for developer to validate each field if they didn’t have the luxury of iterating through a for loop for each input type. Especially when it came down to validating radio buttons, check boxes, and then text fields. For a phone number, most developers would use just a plain text field. So then you didn’t just have to check if the field had text, but that it was numbers and that it followed the correct format for a phone number and so on. It was quite a bit of coding to validate a form.
HTML5 introduced the required attribute. Now, if that required attribute is added to any input type, then automatically upon submission, the form is validated to make sure there is data there.
So now, instead of seeing a javascript pop up like this one
You see a more aesthetically appealing message like below:
HTML5 added several new input types to make the developer’s life easier as well! These include:
- Color
- Date
- Tel
- Number
- Range
- color
I absolutely love the Tel input type and Date. These have made my life a lot simpler when validating this type of information.
For a complete listing of form input types, you can view them here: http://www.w3schools.com/html/html_form_input_types.asp
Despite the simplicity in client side validation with HTML5, we should not let that give us a false sense of security. It is what it is: Client side validation only. I cannot stress the importance enough of doing your own validation. Let me Emphasize. It is still important to validate your input on the server side!! You, as the developer, should know your data and what type of data should come through the form. Don’t just assume that the values entered into the form are the same values being submitted to the server. The values can be changed during the transmission. A form can be bypassed and information submitted to a server with invalid information. Validate the data being received with what you know is supposed to come through. Check for SQL injection. Last thing you want is to live out “Little Bobby Drop Tables”. Check to make sure valid email address formats are being provided; validate emails and check for email injection. The list goes on and on of things you can and SHOULD check for. All of the same security issues are still very much prevalent with HTML5 that were in HTML4. So, where our job in securing our web applications and forms hasn’t changed much, we have been given a little break for client side validation when it comes to forms thanks to HTML5!
The Wiggle Room 
Great content! love your site design
LikeLike
It really seems the W3C has made an attempt to iron out some of the awkwardness associated with HTML with items such as validation. You’re right, the process of validating input in HTML4 was/is *ugly*. Of course, your advice to ensure data is validated server side is extremely prudent due to the security concerns you so eloquently laid out. If I was a web developer, I’d be very excited to get everything moved over to HTML and leave the dirty work of HTML behind me.
LikeLike
Great post Julie! I couldn’t agree more – Server-side validation is still an absolute must. I’m definitely grateful for HTML5 form validation. It saves so much time from having to setup the client side validation with JavaScript and then also the Server side with PHP (or whatever server side language is being used.)
I like that in many cases the user can’t submit without properly filling out the form. This simplifies life for a beginning developer who might accidentally overlook a detail in the more complex JavaScript validation of HTML4.
LikeLike
Great post and thank you for writing about this topic. I feel like this doesn’t get touched on enough in the world of development and in some cases doesn’t happen at all. I also agree with what you said about validation on both the client and server side as this is very important; one side alone is not going to be good enough.
LikeLike
Great post. You are very prudent to put in that caution about server-side validation. I like how you broke down this topic in plain speak which let’s me know that you really understand your topic. My compliments.
LikeLiked by 1 person
Thank you for your post! You allowed me to really think about form validation and how it relates and is used in HTML.
LikeLike