• rocco (unregistered)

    "thank you"

  • rocco (unregistered)

    attempting the dreaded comment, i got:

    Not sure what it was, but it was logged. A human will eventually look at it. If the problem persists, please Contact Us. If the problem is on the contact form, then ... well ... that pretty much sucks. You can email instead: alexp-at-WorseThanFailure.com.

  • Drew (unregistered)

    Maintainability be damned! D:<

  • JavaScript (unregistered) in reply to rocco
    rocco:
    "thank you"
    you're welcome
  • Unicode (unregistered)

    Thank you for properly supporting me. ಠ_ಠ

  • SR (unregistered) in reply to rocco
    rocco:
    attempting the dreaded comment, i got:

    Not sure what it was, but it was logged. A human will eventually look at it. If the problem persists, please Contact Us. If the problem is on the contact form, then ... well ... that pretty much sucks. You can email instead: alexp-at-WorseThanFailure.com.

    Welcome to TDWTF. It does that. Just keep hitting Back then Submit until it goes through.

    My personal best is 4 attempts but I'm sure other users can beat me in that particular pissing contest.

    CAPTCHA: erat (Borat's brother?)

  • Farmer Innes-D'en (unregistered)

    TRWTF is that anybody assumes client-side Javascript to have done any validation for them. No, really. Page one, people, page one.

  • (cs)

    Sorry, but this is probably the biggest non-WTF I've ever seen on this site.

    I think someone is clearly confusing "Not everyone runs JavaScript" with "No-one runs JavaScript".

    Where is this article is there any suggestion that there is not additional validation of data conducted on the server? Clearly the intention of this function (which admittedly has changed since it was named - possibly the only vague WTF in the article) is to tell when a user is attempting to enter an invalid character and provide immediate feedback to the user without requiring a round trip to the server. Last time I checked this is a good thing.

    There's plenty of WTFs out there to do with JavaScript, but simply using JS to provide additional functionality to a user is most definitely not one of them.

  • Forumtroll (unregistered)

    This allmost beats the Regex pattern (as seen on our intranet website):

    Regex reg = new Regex(@"^\K*$"); if(reg.IsMatch(txtPStrField13.Text)) pfuncInformUser(txtPStreField13);

    I am not sure what is the most abrasive to my eyes and mind, be it the hillarious regex, or the mindraping abuse of several notations blended into one.

    The worst of it is, txtPStrField13 is hidden by hardcode.

    CAPTCHA: conventio! Is is at convent or IO or both?

  • (cs)

    What did you expect, C#Scrpit? Pah!

  • Carl (unregistered)

    The function is horribly mis-named, but the author doesn't seem to think that's a very big deal. So the WTF is using Javascript to perform input validation? Lame.

  • eViLegion (unregistered)

    Is the real WTF the fact that this got posted in the first place?

  • (cs) in reply to Carl
    Carl:
    The function is horribly mis-named, but the author doesn't seem to think that's a very big deal. So the WTF is using Javascript to perform input validation? Lame.
    You don't seem to understand. Using JavaScript for anything at all is wrong because someone might not have it enabled.

    Repeat: everything you ever thought you knew about progressive enhancement is wrong.

  • (cs)

    Maybe I'm a moran, but I don't see the WTF here. Maybe that means I'm TRWTF.

  • SR (unregistered) in reply to toth
    toth:
    Maybe I'm a moran, but I don't see the WTF here. Maybe that means I'm TRWTF.

    Dylan Moran? Kevin Moran?

    CAPTCHA: damnum (if they can't take a joke)

  • NetBen (unregistered) in reply to rocco

    This is a WTF if this is THE only user input validation.

    This is NOT a WTF if this function is part of enhancing user experience.

    Both factors unknown, so useless article.

  • Petrus (unregistered)

    I say - this is truly a WTF. Everyone knows that all input-validation should be done serverside, and only serverside. In case a user enters invalid characters in a textfield, the server should simply return a: "error 503 - invalid character(s)" message, and allow the user to guess which character(s) was invalid and why!

  • (cs) in reply to Farmer Innes-D'en
    Farmer Innes-D'en:
    TRWTF is that anybody assumes client-side Javascript to have done any validation for them. No, really. Page one, people, page one.

    Then make sure they have javascript.

    <form method="post" action="process.php">
    <input type="button" onclick="this.form.submit();">
    </form>
    
  • javabeats (unregistered) in reply to Petrus

    Hmm... well, what if the round trip is an expensive process that takes some time? You could spare the end user from the wait by using client side validation.

    (2nd attempt)

  • (cs) in reply to NetBen
    NetBen:
    This is a WTF if this is THE only user input validation.

    This is NOT a WTF if this function is part of enhancing user experience.

    Both factors unknown, so useless article.

    This says it all.

  • Neville Flynn (unregistered)

    This is not a WTF unless you add this sentence to the article: "Oh, and they don't perform validation on the server."

    By the way, would that JS stop someone from pasting in invalid text? Or does it only work if the user manually types in invalid text?

  • John C. Random (unregistered) in reply to JuanCarlosII
    JuanCarlosII:
    Carl:
    The function is horribly mis-named, but the author doesn't seem to think that's a very big deal. So the WTF is using Javascript to perform input validation? Lame.
    You don't seem to understand. Using JavaScript for anything at all is wrong because someone might not have it enabled.

    To take that to its logical conclusion, writing software at all is wrong, because someone might not use it.

  • John C. Random (unregistered) in reply to Neville Flynn
    Neville Flynn:
    This is not a WTF unless you add this sentence to the article: "Oh, and they don't perform validation on the server."

    By the way, would that JS stop someone from pasting in invalid text? Or does it only work if the user manually types in invalid text?

    That's no "by the way", it's a concrete example of your first point. There's nothing to stop malicious users hand-whittling the HTTP POST, shitty data and all.

  • Anonymous (unregistered) in reply to akatherder
    akatherder:
    Farmer Innes-D'en:
    TRWTF is that anybody assumes client-side Javascript to have done any validation for them. No, really. Page one, people, page one.

    Then make sure they have javascript.

    <form method="post" action="process.php">
    <input type="button" onclick="this.form.submit();">
    </form>
    

    What if I call process.php with my own POST variables? :)

  • tetsu (unregistered)

    TWTF is that there is a function named "numbersonly" that takes three parameters: a field, an event, and a number. Why it takes these three parameters is not obvious. It acts like a real-time input handler, which isn't necessary.

    It purports to return True or False depending on if the characters (or single input character, in this case) is a number. Instead, it changes the form and input behavior. The function is tied to the form, tied exclusively to that field, and afaik is called infinitely, because of that last 'else true' that lets you have no myfield or event but still return true as if the input is considered a 'number'.

    tl;dr It's a boolean utility function that changes the state. Changes the state in ways it never suggests it would. Like allowing alphas and question marks.

  • (cs)

    ha! At least this code CAN make sense. i found this script on the wild wild web:

    <script> if (typeof(window.parent.refreshSessionNoFlash)=="function") { window.parent.refreshSessionNoFlash(); }
    window.parent.document.getElementById('header-user-details').innerHTML =
    '<li><a href="/switch">Sign Up/In&nbsp;</a></li>' +
    '<li><a href="/account" target="_self">My Account</a></li>';
    
    if (typeof(window.parent.showError)=="function")
    {
    	window.parent.showError ("Your flash player seems to be outdated. <b>You either have JavaScript disabled</b> or an old version of" +
    	" Adobe's Flash Player To use WatchDox please get the latest Flash Player.");
    }
    
    <script> </i> </script>
  • Adam (unregistered)

    I:APOSTROPHE:ve had the misfortune to have to fill in a problem:HYPHEN:description form for a :OPENBRACKET:major:CLOSEBRACKET: consumer hardware manufacturer that, while asking for a complete report on why I wanted them to repair my laptop, forbade :OPENBRACKET:server:HYPHEN:side:CLOSEBRACKET: almost all non:HYPHEN:alphanumerics :DASH: the procedure was apparently just to keep removing characters until it stopped giving :QUOTE:Illegal character:QUOTE: errors. Is this typical:QUESTIONMARK:

  • (cs) in reply to Unicode
    Unicode:
    Thank you for properly supporting me. ಠ_ಠ
    The eyes have it! (Or they would if the fonts on this system had glyphs for Kannada…)
  • (cs) in reply to NetBen
    NetBen:
    This is a WTF if this is THE only user input validation.

    This is NOT a WTF if this function is part of enhancing user experience.

    Both factors unknown, so useless article.

    Oh, it has plenty of WTF!s in it even without knowing whether it is the only validation.

    My favourite that I've seen so far is that bit with checking if it's processing decimal and, if so, comparing to see if the key was a period. When that character is a member of set of chars checked for previously. Thankfully, the test wouldn't lead to an observable outcome anyway, since it's just choosing whether to return false, or to instead return false. Vital decision, that…

    (Yes, there's a focus change in there. Anyone want to bet which element would be focused on at that point?)

  • Stupid in JS (unregistered)

    Am I being stupid, or it will never get to this:

    else if (dec && (keychar == ".")) { myfield.form.elements[dec].focus(); return false; }

    as the "." char would've been captured by the indexof just above.

    And in that case (if it's not one of the "invalid for which it return true" chars), it'd always return false.

  • (cs) in reply to dkf
    dkf:
    NetBen:
    This is a WTF if this is THE only user input validation.

    This is NOT a WTF if this function is part of enhancing user experience.

    Both factors unknown, so useless article.

    Oh, it has plenty of WTF!s in it even without knowing whether it is the only validation.

    My favourite that I've seen so far is that bit with checking if it's processing decimal and, if so, comparing to see if the key was a period. When that character is a member of set of chars checked for previously. Thankfully, the test wouldn't lead to an observable outcome anyway, since it's just choosing whether to return false, or to instead return false. Vital decision, that…

    (Yes, there's a focus change in there. Anyone want to bet which element would be focused on at that point?)

    I don't think that anyone's claiming this isn't some pretty bad code, but there's a big gap between bad code and WTF.

    Generally, if I have to go through the code line-by-line looking for unused elseif statements to try and find a WTF then there isn't one there at all.

    On the other hand, can anyone tell me what's so bad about allowing ☺?

  • (cs) in reply to Anonymous
    Anonymous:
    akatherder:
    Farmer Innes-D'en:
    TRWTF is that anybody assumes client-side Javascript to have done any validation for them. No, really. Page one, people, page one.

    Then make sure they have javascript.

    <form method="post" action="process.php">
    <input type="button" onclick="this.form.submit();">
    </form>
    

    What if I call process.php with my own POST variables? :)

    You would be fine or you would get a syntax error. If you're fine, my job is done. If you get a syntax error, then you don't know what you're doing.

  • BLs (unregistered) in reply to Adam
    Adam:
    I:APOSTROPHE:ve had the misfortune to have to fill in a problem:HYPHEN:description form for <...clip...clip...> stopped giving :QUOTE:Illegal character:QUOTE: errors. Is this typical:QUESTIONMARK:

    I had a similar problem a couple weeks back. They kept giving me an illegal character error. I finally figured out something else was going on when I'd removed everything from my comments except plain letters and spaces and still got the error. After slogging through their massive amount of obscure javascripts I finally found the function causing the problem. It turned out that my comments were longer than their limit. What's worse: enforcing a limit that you don't tell anyone about, doing it in a function that checks for bad characters, or reporting it as an illegal character error?

  • Anonymously Yours (unregistered) in reply to John C. Random
    John C. Random:
    JuanCarlosII:
    Carl:
    The function is horribly mis-named, but the author doesn't seem to think that's a very big deal. So the WTF is using Javascript to perform input validation? Lame.
    You don't seem to understand. Using JavaScript for anything at all is wrong because someone might not have it enabled.
    To take that to its logical conclusion, writing software at all is wrong, because someone might not use it.
    This is a perfect example of why using sarcasm is wrong. I hope you learned something from this, JuanCarlosII.
  • Anonymous (unregistered)

    People are defending this as reasonable client-side validation. But as far as I'm concerned, any validation that occurs on every keypress is fundamentally wrong. Why process every single key when you could just process the whole thing on submit? Unless it specifically needs to process every key press I would say that this is definitely a WTF. Not a major one, but a WTF nonetheless.

  • Complete Moron (unregistered) in reply to Anonymous

    This code looks like complete shiite and is trying to do too much in a poorly written method. TRWTF is seeing actual value in deploying it, and that value as being worth more than the headache of maintaining this type of junk.

  • Fedaykin (unregistered) in reply to Farmer Innes-D'en
    Farmer Innes-D'en:
    TRWTF is that anybody assumes client-side Javascript to have done any validation for them. No, really. Page one, people, page one.

    As long as the server side does real validation, then using client side code to provide a better use experience (e.g. instant validation of form fields without a round trip to the server) is a great and useful thing that should be encouraged.

  • Anon (unregistered)

    So yes, the code is ugly, it's obviously mutated from something else and is full of bits that aren't needed. And yes, it won't run at all if you have JavaScript turned off. But I agree with a lot of other posters that, assuming there is some validation done server side, it's not much of a WTF. It there is any WTF, it's why do you need to validate the text in the "thank you note" text area with is presumably only going to be read by a human (other than escaping special characters)? Who cares if somebody wants to put a ☺ in the thank you note?

  • Anon (unregistered) in reply to Anonymously Yours
    Anonymously Yours:
    John C. Random:
    JuanCarlosII:
    Carl:
    The function is horribly mis-named, but the author doesn't seem to think that's a very big deal. So the WTF is using Javascript to perform input validation? Lame.
    You don't seem to understand. Using JavaScript for anything at all is wrong because someone might not have it enabled.
    To take that to its logical conclusion, writing software at all is wrong, because someone might not use it.
    This is a perfect example of why using sarcasm is wrong. I hope you learned something from this, JuanCarlosII.

    I see what you did there. Well played Anonymously Yours.

  • (cs) in reply to akatherder
    akatherder:
    Farmer Innes-D'en:
    TRWTF is that anybody assumes client-side Javascript to have done any validation for them. No, really. Page one, people, page one.

    Then make sure they have javascript.

    <form method="post" action="process.php">
    <input type="button" onclick="this.form.submit();">
    </form>
    

    On most browsers, pressing Enter on a form that has no explicit submit buttons will submit it either way.

  • (cs) in reply to Anon
    Mark Bowytz:
    Now, before bashing the function for it's curious name...
    Bob the Angry Flower would like a word with you, Mark.
  • nimchimpsky (unregistered)

    Errm. Excuse my ignorance, I do plenty of form validation using javascript/ajax. Specifically ajax, it sends request to the server and validates data. I actually have a "validate" button - to check all data is hunky dory.

    Then the whole form gets processed after validation. This enables informaitve feedback to be given to user (eg:you need to change field 1 before submitting)

    Discuss ...

  • Jonathan Collins (unregistered) in reply to akatherder
    akatherder:
    Anonymous:
    akatherder:
    Farmer Innes-D'en:
    TRWTF is that anybody assumes client-side Javascript to have done any validation for them. No, really. Page one, people, page one.

    Then make sure they have javascript.

    <form method="post" action="process.php">
    <input type="button" onclick="this.form.submit();">
    </form>
    

    What if I call process.php with my own POST variables? :)

    You would be fine or you would get a syntax error. If you're fine, my job is done. If you get a syntax error, then you don't know what you're doing.

    Ever heard of SQL injection?

  • voyou (unregistered) in reply to tetsu
    tetsu:
    It purports to return True or False depending on if the characters... It's a boolean utility function that changes the state.

    No, it's not, it's an event handler, and as such it returns true or false depending on whether or not the event should be handled further. It has a badly chosen name, sure (both because the name doesn't make clear that it is an event handler, and because it suggests it limits input to numbers, rather than a broader range of characters). But reading the function, it's intent is perfectly clear. The fact that it doesn't do what you incorrectly think it should do, is your problem, not a problem in the code.

  • Fedaykin (unregistered) in reply to Jonathan Collins
    Jonathan Collins:
    akatherder:
    Anonymous:
    akatherder:
    Farmer Innes-D'en:
    TRWTF is that anybody assumes client-side Javascript to have done any validation for them. No, really. Page one, people, page one.

    Then make sure they have javascript.

    <form method="post" action="process.php">
    <input type="button" onclick="this.form.submit();">
    </form>
    

    What if I call process.php with my own POST variables? :)

    You would be fine or you would get a syntax error. If you're fine, my job is done. If you get a syntax error, then you don't know what you're doing.

    Ever heard of SQL injection?

    Data scrubbing to avoid SQL injection = WTF

  • Jonathan Collins (unregistered) in reply to Fedaykin
    Fedaykin:
    Data scrubbing to avoid SQL injection = WTF

    Well... yes, but I doubt this shop is using parameterized queries.

  • PRMan (unregistered) in reply to dkf

    Is it wrong that the number one thing I got out of this article is that I just felt bad that the little guy didn't have a nose:

    ಠೃಠ

  • tekHedd (unregistered)

    In this fine example of the programmer's art, you can feel the coder's desperate fear of unnecessary curly brackets, while the use of whitespace to separate 'if' from 'elseif' (but not other unrelated lines of code) imparts a whimsical air to the function as a whole, as if the author only used the 'else' blocks as an afterthought.

  • ing (unregistered)

    ಠ͜ಠ

  • (cs) in reply to Adam

    Dear me! You forgot the colons!

    ICOLONCOLONCOLONAPOSTROPHECOLONCOLONCOLONve had the misfortune to have to fill in a problemCOLONCOLONCOLONHYPHENCOLONCOLONCOLONdescription form for a COLONCOLONCOLONOPENBRACKETCOLONCOLONCOLONmajorCOLONCOLONCOLONCLOSEBRACKETCOLONCOLONCOLON consumer hardware manufacturer that, while asking for a complete report on why I wanted them to repair my laptop, forbade COLONCOLONCOLONOPENBRACKETCOLONCOLONCOLONserverCOLONCOLONCOLONHYPHENCOLONCOLONCOLONsideCOLONCOLONCOLONCLOSEBRACKETCOLONCOLONCOLON almost all nonCOLONCOLONCOLONHYPHENCOLONCOLONCOLONalphanumerics COLONCOLONCOLONDASHCOLONCOLONCOLON the procedure was apparently just to keep removing characters until it stopped giving COLONCOLONCOLONQUOTECOLONCOLONCOLONIllegal characterCOLONCOLONCOLONQUOTECOLONCOLONCOLON errors. Is this typicalCOLONCOLONCOLONQUESTIONMARKCOLONCOLONCOLON

    Of course, I left out marking up the colons that mark up the colons, but I don't have infinity time to make up for your sloppy work.

Leave a comment on “Thank You for Enabling JavaScript!”

Log In or post as a guest

Replying to comment #:

« Return to Article