I am currently using client-side HTML validation for all my forms. This includes things like Quantity must be a positive integer and Price must be non-zero. I have enforced this on the client-side, and am also doing it on the server side. But now I am wondering whether it is worth the effort of adding error messages to each field of the form, or just return a HTTP 400 Bad Request/HTTP 422 Unprocessable Entity.
Is it alright to treat any data that has snuck past client-side validation as malicious, or are there situations where a client might input bad data that will unintentionally pass the client-side validations?
(Note: I am not using any javascript, just the HTML pattern, min, max attributes in input tags.)
The client-side validation shows pretty error messages when it fails. Should the server-side validation do the same, or return a generic HTTP error page?
Only if the browser does not support the validation attribute you use. According to caniuse, the pattern attribute is currently supported in all current desktop browers, but not all mobile browsers.
That is, if you are targeting current desktop browsers, server side errors will only be shown to malicious users, and there is no reason to go out of your way to give helpful error messages. On the other hand, if you are in a mobile market, you might want to add helpful error messages for the poor souls using less capable browsers.