20 January 2007

Whitelist madness

Whitelists (for input validation) seems to have become one of those buzz words that your online product must have. A whitelist is a system that only allows users to enter a specific set of characters and is designed to mitigate the risk posed by potential security holes in a program. The problem is that they are often applied over-zealously and have the result of frustrating people to no end. Like me!

The other day I set up an automatic payment of rent through my online bank site. I needed to enter my name and street address in the reference field "Aylett - 12/34 Nowhere St" would have been nice. (Details changed to protect the innocent).

However, due to an uppercase-alpha-numeric whitelist and an 18 character limit, all I could enter was "AYLETT13 25NOWHERE". Insane! I hope they're finding my rent money.

So, if you're writing a whitelist, here are some things to keep in mind:
  1. O'Conner would like you to allow apostrophes.
  2. Marie-anne would like you to allow dashes.
  3. Jack & Jill have a joint account and would like the ampersand.
  4. CĂ©leste has a French keyboard, would like accents, and gets insulted when her name is spelt wrong. (Whitelists and globalization/localization really don't mix very well in general).
  5. Phone numbers don't all look like 12345678. Some look like +(61) 2 1243-5678#*9
  6. People generally can't choose their postal address, and these can contain pretty much anything.
  7. Some people express themselves in strange and geeky ways.
  8. It's generally bad for business to annoy your customers.
I'm not saying don't use whitelists. But please, will someone please think of the users. (To be read in a Helen Lovejoy voice).

2 comments:

Anonymous said...

I want to quote your post in my blog. It can?
And you et an account on Twitter?

Anonymous said...

I really like your blog and i really appreciate the excellent quality content you are posting here for free for your online readers. thanks peace claudia.