Nice - awaiting the helper - presume it will be Opened?

"It doesn't make sense to maintain two sets of validation rules. Instead, pull the rules from the same source that is used for server side validation and convert them to JavaScript for the client side."

After taking the time to think and talk this through for about a year, my opinion is that it is never a good thing to reveal server-side logic to the client for convenience sake. Pulling regex rules from the server and putting it on the client gives hackers more information about what data they can enter. Although it is more work, I think that the client should do basic checks and then let the server do the heavy filtering.

Security by obfuscation.

Matt, that sounds like a good idea. Being able to chose what rules to expose to the client would make this a better solution in my opinion.

For kicks, I just talked with my boss about it. He said that the, "code validation once and use on both client and server" has been an on-going issue that has gone on since people learned how to code validation on the client. He gave me the example that ASP jumped on this initially, but then realized it as a security issue and now allows you to do separate validation rules on both client and server.

I'd better prefer the JSON dumping in class attributes (and possibly extract with jquery.metadata plugin). But, it needs fixing core