If you’ve built a HTML form at any point in the last few years, you’re probably aware that there is limited validation built-in to modern browsers. For example, you can make a form field compulsory by adding the required attribute:
<input type="text" required>
Or you can specify that a field must contain an email address by setting the type attribute:
<input type="email">
The benefits of these validation options are that they have no external dependencies and they avoid a request to your application, so they tend to respond very quickly. However, as they are under the control of the client application, they can’t be trusted and should be used in addition to, and not as a replacement for, server-side validation.
But what happens if you want to skip the browser-based validation and test your server-side validation? Fortunately there’s a simple attribute, novalidate, that you can apply to the entire form:
<form action="process.php" method="POST" novalidate>
Of course, the fact that it is possible to disable validation in this way is a prime example of why you shouldn’t rely on it…