Pylons/webtest

Allow checking client-side validation during form submit

Closed this issue · 2 comments

septatrix commented

Feature Request

Is your feature request related to an issue? Please describe.
Currently it is possible to submit forms whose inputs do not validate. While this is definitely possible for a malicious attacker it prevents testing another scenario: When tightening the pattern or adjusting min/max attributes it is possible to prevent well formed inputs. This may go undetected and lead to a form in production which cannot be send.

Describe the solution you'd like
The form submit method should check client-side validation attributes like pattern, minlength, maxlength, min, max, step, required etc.

Describe alternatives you've considered
As this is a breaking change an alternative would be to make this an argument to the submit method. This way different strictness could also be possible (e.g. none, only required, or all attributes).

Additional context
The pattern is a ECMA Script (/Javascript) Regex. Pythons regex engine is in most cases comparable that it can be used. However lesser used features like e.g. capturing groups may be different. This is another good reason to make this an optional parameter of the submit method. Furthermore will min/max have to be handled differently for some input types like datetime-local etc.

stevepiercy commented

@septatrix please see https://docs.pylonsproject.org/projects/webtest/en/latest/#what-this-does

I think that what you seek would be better satisfied with any client-side test application, such as Selenium or Katalon Studio, as they already have such support. For example, Deform has an app Deform Demo that uses Selenium to perform functional tests. For its implementation, see https://github.com/Pylons/deform/blob/main/contributing.md#preparing-a-functional-testing-environment.

digitalresistor commented

I second what Steve mentioned, as well as the fact that you should not rely on client side validation of data on the server side. So webtest should explicitly allow sending data that won't validate client side to make sure that the server is validating the data correctly.