I've tried to keep up with new HTML 5 features, but Billy recently pointed out that INPUT tags have the ability to set regular expression patterns for validation directly in the markup. I think this is nifty and, at least in the demo I tried, a very user-friendly and pretty way to inform the user they've put in a bad value. There are also special types for numbers, dates, times, urls, email addresses and more.

However, I think there's a significant risk that we'll see many developers implementing the 'pattern' (and possibly field types) in the markup as the only form of input sanitizing for their application. That may seem ridiculous in this day and age--but you know it's not. We still regularly see people relying on client-side filtering via maxlength attributes or in JavaScript.

This new restriction, with its fancy-pants regular expression, may well give people a false sense of security when it comes to tainted input. As fresh developers and technologies enter the arena, old problems will be slapped with a coat of paint and sold as new. So, when talking to your clients, developers and friends, remember to reinforce the mantra:

                Never rely on client-side security.

What do you think? Will the 'pattern' option and field types help or hinder actual application security?