← Back to Tips & Tricks
Power Pages
Secure Power Pages Forms with Validation
Implement both client-side and server-side validation to protect your Power Pages forms from malicious input.
Defense in Depth
Never trust client-side validation alone. Attackers can bypass JavaScript validation, so you need server-side checks too.
Client-Side Validation
Add custom validation using JavaScript in your Power Pages site:
document.querySelector("form").addEventListener("submit", function(e) {
const email = document.getElementById("email").value;
const phone = document.getElementById("phone").value;
// Email validation
const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
if (!emailPattern.test(email)) {
e.preventDefault();
showError("Please enter a valid email address");
return;
}
// Phone validation
const phonePattern = /^\+?[\d\s-]{10,}$/;
if (!phonePattern.test(phone)) {
e.preventDefault();
showError("Please enter a valid phone number");
return;
}
});Server-Side Validation
Use Dataverse business rules or plugins for critical validation:
- Create business rules on your table to validate field formats
- Use Power Automate flows triggered on record creation for complex validation
- Implement pre-validation plugins for real-time checks
Common Validations
| Field Type | Validation |
|---|---|
| Format check + domain verification | |
| Phone | Format + length check |
| Date | Range validation (not in past/future) |
| File Upload | File type + size limits |
| Text | Length limits + XSS prevention |
XSS Prevention
Always sanitize user input before displaying it:
// Never do this:
element.innerHTML = userInput;
// Do this instead:
element.textContent = userInput;Security tip: Log validation failures. Repeated failures from the same source may indicate an attack.