dhis2-devs team mailing list archive

[Lars Helge Øverland <larshelge@xxxxxxxxx>]

On Wed, Dec 23, 2009 at 4:01 AM, Hieu Dang Duy
<hieu.hispvietnam@xxxxxxxxx>wrote:

> Dear Saptarshi,
>
> I'm not good at about security, I also knew that using javascript it's
> really not safe in web application. By the way, I have a small idea about
> this issue that. Not surely, have any configuration/setting about date in
> DHIS2 program ? Unless, I think we can make a new setting for this one.
> I meant we should make a pattern setting for date format, ie. yyyy-mm-dd
> for DataEntry module. Or can be expanding to use for our whole system.
>
> In that case, we can easily use any kind of validations with that pattern
> setting in either client-side (javascript) or server-side (java).
>
> Thanks for your suggestion !
>
>
Hi,

I would say that we should stick with yyyy-mm-dd for input for now, to me
the added complexity of configurable date input formats justifies the
benefit...

Re validation, we do have server side validation for meta data like data
elements, indicators, data set etc. A problem is that we have separate
action classes for validation and adding/updating (this was done with
separation-of-concerns in mind). This poses a threat since a "malicious"
user could bypass this by turning off javascript in the browser or sending
direct GET-requests. Btw I wouldn't say avoiding javascript validation is
the answer, rather having both where its possible.

Lars