Form building libraries have always been a trade-off… They are powerful and can be wonderful in result but in any non-trivial implementation they take so much configuration and such that it ends up just being another (slow) mini-language on top of the template’s mini language on top of Perl and probably with a bunch of JS, and now HTML5 extensions, in the mix.
A well behaved model on the backend should do its own validation—so I say—and that means another layer of validation which is not DRY and is ripe for bugs by schism. I was a sometimes fan of them but ended up drifting away and never missed it.
I don’t have a best practice recommendation but I will say that backend based form building libraries are probably a mistake unless they are integral to the full framework and there is nothing like that in Perl. More and more in JS… If you really want to use a form builder, CSS is extremely powerful and fairly x-browser reliable today. I would still push validation to the model/data layer. It’s the most natural and reusable place for it. Also, I would never use the input pattern property. It is invisible to the actual victim user of the constraint so it’s not good UX and it surfaces your code or expectations to hackers and the client side checks can be bypassed with direct requests/POSTs and regular expressions can be exploited maliciously.
Update: also be careful. ALL user supplied data must be escaped. It’s opt in in TT2. So, anything that comes from params, etc, needs something like: [% name | html %]
Update: typoeses.
In reply to Re: Form generation and validation
by Your Mother
in thread Form generation and validation
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |