HTML Form Validation is underused

382 点作者 stereoabuse7 个月前

38 条评论

Last time I checked, web-browsers today still do not allow you to style the appearance of built-in HTML validation messages [1]; this wouldn't be so bad if Chrome (and Firefox) still conformed to their OS platform UI guidelines (i.e. so it looks system-generated, like how `title=""` tooltips used to be), instead Chrome uses this ugly yellow/orange icon color with black-text on a white background on a bubble with a fixed corner border radius - it clashes horribly with my current project's aesthetics.[1] <a href="https://stackoverflow.com/questions/5328883/how-do-i-style-the-html-form-validation-error-messages-with-css" rel="nofollow">https://stackoverflow.com/questions/5328883/how-do-i-style-t...</a>Annoyingly, Chrome used to allow styling of validation-messages using vendor-prefixed pseudoelement selectors, but they removed that functionality and never brought it back; I'll chuck this on the same pile as other arbitrary annoyances like "can we have a native HTML combo-box please" and "why is <select multiple> still a horribly unusable ctrl+click box instead of a checkbox-list?".

评论 #41983727 未加载

评论 #41983100 未加载

评论 #41978225 未加载

评论 #41978541 未加载

评论 #41979189 未加载

评论 #41981976 未加载

评论 #41979218 未加载

pbreit7 个月前

The biggest, easiest to implement underutilization is:"Using specific type attribute values, such as "email", "number", or "url""These can significantly improve user experience on mobile by triggering the optimal keyboard.

评论 #41978038 未加载

评论 #41977846 未加载

评论 #41980506 未加载

评论 #41977980 未加载

评论 #41978339 未加载

评论 #41983609 未加载

kaoD7 个月前

My product just failed an accessibility audit because we are using native HTML form validation and the official recommendation was to implement our own validation layer.EDIT: which I agree with.Native HTML validation has many flaws and visual customization is not my biggest concern to be honest (but it's the nail in the coffin).E.g.:- It's impossible to show multiple errors at once per field unless you concat strings ("You need a number. You need a symbol. Must be >10 chars.")This is both bad UX and bad for accessibility (you cannot navigate concatenated strings on the accessibility tree). And this isn't even implementation dependent, it's the spec! You need multiple errors at once because playing whack-a-validation-error is not fun for users.- It's browser-dependent which is bad because you can't control it and because the implementation is generally terrible (e.g. in Chrome it shows a popup on focus, which is not very accessible by itself because (1) it's a popup (2) that shows modally (3) and can't show all form errors at once).Not using popups for important information is accessibility 101, but browsers cannot afford to do anything else without interfering with the actual document.- You still need custom validation for form-wide errors (like errors that don't belong to a particular field, "Fields A and B are incompatible") so you might as well have a consistent validation story.- It requires you to have hidden inputs to be consistent (-ish) if you have some custom input that doesn't fit any of the native input types -- this breaks accessibility too and fixing it is as hard as having your own accessibility-friendly validation story.- The custom validity API is imperative and cumbersome to use. Not using custom validity is almost never an option unless you want terrible messages ("This field is invalid")And many more.HTML form validation is terrible.

评论 #41987015 未加载

评论 #41999038 未加载

评论 #41984130 未加载

unlog7 个月前

In an all honest reply, is that the people that writes these specifications, live disconnected from the reality, they don't use the stuff they specify. That stuff works for very simple things, but then when your forms evolve you realise you will be better off just writing the whole thing yourself.

评论 #41979650 未加载

评论 #41978456 未加载

评论 #41980597 未加载

mcflubbins7 个月前

If you have a checkbox with a label, please a "for" attribute to the label so I can disable/enable the checkbox by clicking the label. This is one of my biggest pet peeves, maybe its just me.

评论 #41979727 未加载

评论 #41978937 未加载

calibas7 个月前

Here's a simple example that doesn't use React:<a href="https://developer.mozilla.org/en-US/docs/Web/API/HTMLObjectElement/setCustomValidity" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/API/HTMLObjectE...</a>

评论 #41984261 未加载

评论 #41981840 未加载

jansommer7 个月前

Html form validation is great. There's just one gigantic catch:It doesn't work in Firefox for Android.<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1510450" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1510450</a>

评论 #41981314 未加载

评论 #41978514 未加载

评论 #41978510 未加载

评论 #41982754 未加载

评论 #41983140 未加载

评论 #41982742 未加载

donatj7 个月前

You gotta be careful about going overboard with it.Recently I was trying to get a refund on Groupon because the company I'd bought a Groupon for was under new management that refused to honor my groupon.The form had a stipulation "minimum of 15 words". Try as I might, I could not get the form to pass validate until I inspected the HTML.<pre><code> <input pattern="^(\b\w+\b\s*){15,}$" required> \w - word characters \b - word boundaries \s - white </code></pre> Literally zero allowance for any sort of punctuation.

评论 #41977501 未加载

评论 #41983399 未加载

temporallobe7 个月前

There’s a reason it’s heavily underused. So many frameworks and libraries provide robust, style-able validation capabilities, some with very sophisticated and extendable functionality. Don’t torture yourself if you don’t have to.

评论 #41982976 未加载

评论 #41979328 未加载

Macha7 个月前

One of the things I dislike about HTML form validation is it starts running from page load. So if e.g. you tie error state formatting to it, the form loads up with a bunch of errors which may be intimidating to the user.

评论 #41977812 未加载

评论 #41977789 未加载

评论 #41978017 未加载

blacksmith_tb7 个月前

My personal bête noire is sites that misuse type=password for 2FA inputs, since that confuses password managers and browsers both.

评论 #41979200 未加载

评论 #41979140 未加载

ozim7 个月前

Because it sucks.It does not translate with the application but with browsers settings, it doesn’t style or fit any design. It looks differently on different browsers and it is really hard to explain to stakeholders “this is from browser I don’t have control over it”.

评论 #42021736 未加载

评论 #41983534 未加载

评论 #41990963 未加载

mannyv7 个月前

The real problem with client-side validation is you can't trust it.You need to revalidate on the server, no matter what.

评论 #41977963 未加载

joshchernoff7 个月前

simply adding required is all you need.Not required=true The omission is equal to required=false. No one really write required=true, they just add the attribute `required` only by its self. This is one of the odd quarks about html attrsSame is true for things like disabled ect <a href="https://developer.mozilla.org/en-US/docs/Glossary/Boolean/HTML" rel="nofollow">https://developer.mozilla.org/en-US/docs/Glossary/Boolean/HT...</a>> The strings "true" and "false" are invalid values. To set the attribute to false, the attribute should be omitted altogether. Though modern browsers treat any string value as true, you should not rely on that behavior.in other words required=false may still end up making the field required. FYI.

评论 #41977693 未加载

评论 #41977601 未加载

DeathArrow7 个月前

>Imagine a username input that should be valid only if the username is not takenMaybe that is user friendly but for sure I don't like to see the backend bombarded with API calls each time an user types a letter.

评论 #41983744 未加载

评论 #41987881 未加载

评论 #41980380 未加载

评论 #41980421 未加载

threatofrain7 个月前

Ya'll may want to checkout Valibot¹ or Zod² in conjunction with something like React Hook Forms³ or the more agnostic Tanstack Forms⁴. Really sweet form validation that's concise but as precise as you want it to be.The problem with vanilla form validations are (1) they're so basic that it's table stakes for any library or framework in this space, even ChatGPT can do it well, (2) there's an enormous amount of other validation scenarios they don't cover, and (3) unless your validation is simple and doesn't require a validation library, now your logic is split between two places.[1]: <a href="https://valibot.dev/guides/comparison/" rel="nofollow">https://valibot.dev/guides/comparison/</a>[2]: <a href="https://zod.dev/?id=basic-usage" rel="nofollow">https://zod.dev/?id=basic-usage</a>[3]: <a href="https://www.react-hook-form.com/get-started/#SchemaValidation" rel="nofollow">https://www.react-hook-form.com/get-started/#SchemaValidatio...</a>[4]: <a href="https://tanstack.com/form/latest/docs/framework/react/quick-start" rel="nofollow">https://tanstack.com/form/latest/docs/framework/react/quick-...</a>

评论 #41983816 未加载

edweis7 个月前

The best native HTML validation is server-side validation.The only downside: the user has to wait 300ms.

评论 #41979921 未加载

评论 #41980809 未加载

评论 #41984491 未加载

acdha7 个月前

I share the wish that there was more effort in the browser space to improve the built-in controls but I would also recommend that people thinking they can easily do better try some real usability and especially accessibility testing. One very nice trait of the standard APIs are that they’re very lightweight and people who build assistive tools like screen readers and Braille displays know about and support them.It is so easy for developers to think they have something better after a simple NPM install, until they test it on a slow (i.e. median) phone or watch a blind person try to use their application and then spend weeks trying to improve things. Given how common web forms are it’d be really nice if we had an Interop-style competition focused on making the out of the box experience better for normal people both for the controls integrated in browsers and the myriad of JavaScript widgets.

montag7 个月前

It's also easily misused. Take the regular expression validator for passwords on the California DMV website, for example. The website states "Must include at least 4 alpha characters". But the validation pattern<pre><code> ^(?=(.*[a-zA-Z]){4,})(?=.*[0-9!#$%]).+$ </code></pre> requires that these characters appear consecutively.

评论 #41978497 未加载

评论 #41983956 未加载

评论 #41978459 未加载

rado7 个月前

Bizarrely, url validation requires the <a href="https://" rel="nofollow">https://</a> prefix

CRConrad6 个月前

One gets the feeling HTML in general is underused, since everything has been done in JavaScript for... How long now, at least over a decade?It's gone so far that some peole claim React (and probably other frameworks too) is "a language"; they apparently don't even know it's just a JavaScript library.

gunalx7 个月前

I do get the point of using form validation clientside to ensure a better ui.But dont remenber to also verify serverside. Anything clientside can have been fumbeled with. (Also kinda anoying to have to duplicate this tho)

评论 #41978429 未加载

评论 #41978160 未加载

评论 #41978995 未加载

SahAssar7 个月前

It's a bit disappointing that articles talking about HTML use JSX/React syntax instead of actual HTML (even more so not actually saying it). Example from the article:<pre><code> <input required={true} /></code></pre>

评论 #41978384 未加载

评论 #41979188 未加载

评论 #41983268 未加载

评论 #41984114 未加载

woodpanel7 个月前

once you grasp the ergonomics of setCustomValidity() you can go crazy e.g. pass it a multitude of validation rules per input field.unfortunately you’re sort of back to square one if you want to implement warnings (ie suboptimal inputs but still workable).Edit: While grasping the ergonomics produces euphoria like solving a complex puzzle it’s also a hint at the pain un-initiated colleagues will feel when tasked with maintaining the code.

wvenable7 个月前

After reading all this, I think I'd still choose to do it away from the browser built in capabilities. I'd rather have full control over the process and the design than rely on the limited capabilities of browsers.The browser is programmable; at this point they should stop getting clever about adding built-in functionality and instead just expose better ways to use the browser as a dumb UI toolkit.

评论 #41977801 未加载

评论 #41984401 未加载

评论 #41984626 未加载

stonethrowaway7 个月前

No it isn’t. It fucking sucks. Most everyone who learns HTML comes across the validation attributes, the god awful built in date pickers and other shit, and they throw it out in favour of custom built better UX implementations. Maybe in the past we would have been clueless because, well, they didn’t exist, but today they do. And they’re junk.Call spade a spade. Don’t call it heavily underused.

评论 #41986215 未加载

account427 个月前

The last example is bad. You shouldn't scream at your users before they even had a chance to enter the required information so the second password field should not be marked red until the user either is done entering text there (onblur) or tries to submit the form.

评论 #41983787 未加载

评论 #41982137 未加载

4rt7 个月前

this is just react though. it's not HTML validation.

评论 #41984240 未加载

jonathrg7 个月前

That's nice, I'll use that next time. Although it always feels kind of bad to write client side validation code because you're going to have to do the same checks on the server side anyway.

评论 #41977730 未加载

评论 #41977514 未加载

评论 #41978003 未加载

评论 #41977810 未加载

评论 #41979157 未加载

yakshaving_jgt7 个月前

> Using other input attributes that create constraints, such as "pattern" or "maxlength"No. Don't use the maxlength attribute.<a href="https://adamsilver.io/blog/dont-use-the-maxlength-attribute-to-stop-users-from-exceeding-the-limit/" rel="nofollow">https://adamsilver.io/blog/dont-use-the-maxlength-attribute-...</a>

评论 #41984323 未加载

k__7 个月前

Built-in validation is pretty much the only reason I use forms.Capturing input with frameworks is much simpler than pulling the values out of an event object, so I'd be okay with just using input and button elements.Yet, that doesn't trigger the validation, so I end up wrapping it with a form element and using a submit button.

评论 #41982398 未加载

JodieBenitez7 个月前

Do we finally have a standard solution for input masks ? 25 years ago I was struggling with this while my fellow desktop app devs had good input masks in their widgets, with easy to use pattern syntax. That would be embarrassing if not.

评论 #41982481 未加载

Vox_Leone7 个月前

Guilty. Recently, when I was involved in a project that required a lot of attention to forms, I ended up overlooking the importance of basic simplicity. I regret it a bit. Thanks for sharing your perspective.

gtsop7 个月前

Are we seriously talking of HTML by using React examples? The article doesn't even explicitly aknowledge the fact that it is written within the context of react.

burnte7 个月前

A lot of HTML features are underused with everything being done in JS libraries now rather than using built in functions.

vips7L7 个月前

In React I just use Formik and Yup to make forms painless. I've yet to discover a better way.

jrochkind17 个月前

i'm not seeing the custom validation messages in these examples at all in Chrome. Others are?

评论 #41984252 未加载

1oooqooq7 个月前

everything html offers more exotic than playing text leaves a bad taste in the month thanks to bad implementations.yeah i can mark a field as numeric... but then when a phone renders the number only input all popular keyboards will also leave out every single clipboard buttons and helpers. url where you can also search if you type a phrase? too bad you just lost all typing correcting and prediction. it's lame and hopeless.