Comment by lukan
If you really ask me, I don't build forms that accept strings as dates from users. There is a date picker element, that can be restricted and validated.
If you really ask me, I don't build forms that accept strings as dates from users. There is a date picker element, that can be restricted and validated.
That's why I wrote, "validated"
And there can also be man in the middle attacks or whatever, the efforts you do for validation depends still on your task at hand. How critical an error would be.
But even for the most trivial tasks I would never think of passing some user strings to Date and expect to get a valid value.
You still need to do some validation of the input because it's difficult to impossible (in many cases) to be absolutely sure the input you receive only comes from your validated form. Even code running entirely within the browser can receive broken/malicious input from an extension, user script, or even the host OS.
It can be a bit belt and suspenders doing validation of specific forms but shit happens. It's much better to catch stuff before it's persisted on the back end or on disk.