I have a input text field for accepting Email ID. If Email ID is not entered by User, I have a client side validation using Java Script to display error message which reads like, "Please enter valid email id". Code is like,
if(EmailIdIsNull)
{
error = "Please enter valid email id";
//Submit this error message to the form
}
This way of handling the check is vulnerable to hazardous character injection. For eg., one changed "Please enter valid email id" to "%22@27%3ECIMG+SRC%3D.html%22%3E"
Solution for this was given as,
"If available, use structured mechanisms that automatically enforce the separation
between data and code. These mechanisms may be able to provide the relevant quoting,
encoding and validation automatically, instead of relying on the developer to provide
this capability at every point where output is generated"
Am looking for an explanation of the above solution. Also, how can one apply above solution in my case regarding client side check of email id?