I don't think you understood Roedy's point: what he said is that the server
should certainly repeat all validation that is security-critical, but
doesn't need to repeat the stuff that is basically just meant to protect
users from their own mistake, catch typos, and stuff like that.
That is not what I am saying, but close. The point is if the client
massages the data into binary form, then there ARE almost no edits the
server CAN do. You don't send the original raw keystrokes. You send
BINARY data. The server can be 100% safe with duplicating only a tiny
fraction of the validation work that was done in the client.
Let me give a few more examples of the principle.
Let us say you had to key in a country name in the client, and ensure
it was in an official list of countries. The client may/may not allow
country abbreviations, misspellings, selection from a pulldown, allow
you to key part of the name and then select alternatives. Quite a
production. But when you are done, the client software can boil it
down to a single byte containing a country index.
All the server need so is a range check on that byte. EVERYTHING ELSE
is irrelevant at that point.
Ditto for a state of the union, province in Canada, date, credit card
number, SIN number, ...
Imagine a client software validation that helped you key a Canadian
telephone number, and insisted you get it in a particular format e.g.
(250) 361-9093. It might let you key letters of the alphabet and have
those automatically converted into the equivalent keypad digit
internally. The client software cross checks the number with the
province and queries the user if they really meant an out of province
area code. The client insists however on valid Canadian area codes, or
the 800 series. It may disallow the 555 exchange as silly. The client
boils this down to a single binary number and sends that to the
server.
All the server has to do is check the bounds. The other checks are
irrelevant to security, just to aid accuracy. The server might want
to revalidate that the area code is Canadian, but it is irrelevant if
it is out of province. If the server discovers an invalid Canadian
area code, it has detected a tampering attempt and should ring some
alarms.
My point is there really is very little duplication of effort. The
server operates an massaged data, so it can do its final check very
quickly without any security risk. There is no need at all to repeat
the keystroke validations. A bounds check can be done with a
microscopic server overhead compared with what the thin client folks
do sending in all the raw keystrokes.