ToolKit

QA & Testing

Form Test Data Generator

Build your form in the constructor, get 12 test case categories per field: valid input, invalid format, boundary min/max, below/above limits, empty, special characters, XSS payloads, SQL injection, oversized, and Unicode. Export as CSV, JSON, or Markdown for Cypress, Playwright, or manual testing.

Related guides

API Response Testing: Writing Effective Assertions for REST APIs
Flaky API tests almost always fail because of weak assertions. This guide covers how to write assertion strategies that catch real regressions without breaking on irrelevant changes — including type checking, schema validation, and the patterns that catch real bugs.
SQL Injection Prevention: A Developer's Complete Guide
SQL injection has topped the OWASP Top 10 for over a decade. This guide explains how attacks work at the query level, the defences that actually stop them, and how to test your own code for vulnerabilities.
Generating Test Data: A Practical Guide for Developers
How to create realistic test data for unit tests, integration tests, and staging environments — covering data types, edge cases, boundary values, and the tools that automate generation.
Playwright and Cypress Selector Strategies: Writing Tests That Don't Break
How to choose stable locators for Playwright, Cypress, and Selenium — covering ARIA roles, data-testid, CSS selectors, and XPath with practical examples and a quality rating framework.

What Test Cases Are Generated and Why

Manual form testing typically covers two scenarios: the happy path (valid data that the form accepts) and one or two obvious error cases (empty required field, wrong email format). That leaves ten categories of inputs untested — and those are the ones that cause real production bugs, security vulnerabilities, and database errors.

This tool generates 12 test case categories for every field in your form. Each category targets a different class of bug:

CategoryWhat it testsBug class it catches
Valid (happy path)Correctly formatted input in the middle of the allowed rangeBaseline — should always pass
Invalid formatWrong type (text where number expected, invalid email, non-boolean)Missing or incorrect format validation
Boundary minimumExact minimum value or exact minimum lengthOff-by-one errors in validation (e.g., minLength=3 rejects 3 chars)
Boundary maximumExact maximum value or exact maximum lengthOff-by-one errors (e.g., maxLength=20 rejects 20 chars)
Below minimumOne less than minimum value / one character shortValidation not enforced at the lower bound
Above maximumOne more than maximum value / one character overValidation not enforced at the upper bound; database column truncation
Empty / nullEmpty string, null, false for checkboxesMissing required-field validation; null pointer exceptions in backend
Special characters<>"'&\/;{} and control charactersImproper escaping; broken HTML output; CSV injection
XSS payload<script>alert(1)</script> and img onerror variantsMissing output escaping; stored XSS vulnerabilities
SQL injection' OR '1'='1 and DROP TABLE payloadsNon-parameterized SQL queries; classic injection vulnerabilities
Oversized10 000 characters / 309-digit numbersMissing maxLength validation; database VARCHAR overflow; server body size limits
Unicode / emojiCJK characters, Arabic RTL, emoji, zero-width charactersUTF-8 encoding bugs; incorrect string length counts; broken UI layout with RTL text

How to Use the Generated Data

The most effective workflow depends on whether your team does manual testing or automated testing — or both.

Manual testing workflow

  1. Build your form in the constructor above (add fields, set types and constraints).
  2. Open your application's form in the browser alongside this tool.
  3. Click any cell in the table to copy its value to your clipboard.
  4. Paste it into the corresponding field and submit.
  5. Verify the application's response matches expectations: valid data is accepted, invalid data shows the correct error message, XSS payloads are not executed.

The table is organized by row (test category) and column (field), so you can run one category across all fields at once, or one field across all categories. Both approaches are valid depending on whether you're doing horizontal (cross-field) or vertical (per-field) test coverage.

Automated testing with Cypress

Export the test data as CSV, place it in your cypress/fixtures/ folder, then use it in a data-driven test:

// cypress/e2e/form.cy.ts
import Papa from 'papaparse';

describe('Registration form', () => {
  before(() => {
    cy.fixture('test-data.csv').then(raw => {
      const { data } = Papa.parse(raw, { header: true });
      Cypress.env('testCases', data);
    });
  });

  it('handles all test categories for email field', () => {
    Cypress.env('testCases').forEach(row => {
      cy.visit('/register');
      cy.get('[name="email"]').type(row.email);
      cy.get('[type="submit"]').click();

      if (row._category === 'Valid (happy path)') {
        cy.url().should('include', '/dashboard');
      } else {
        cy.get('.error-message').should('be.visible');
      }
    });
  });
});

Automated testing with Playwright

// tests/form.spec.ts
import { test, expect } from '@playwright/test';
import { parse } from 'papaparse';
import fs from 'fs';

const raw = fs.readFileSync('tests/fixtures/test-data.csv', 'utf-8');
const { data } = parse<Record<string, string>>(raw, { header: true });

for (const row of data) {
  test(`form — ${row._category}`, async ({ page }) => {
    await page.goto('/register');
    await page.fill('[name="email"]', row.email);
    await page.fill('[name="username"]', row.username);
    await page.click('[type="submit"]');

    if (row._category === 'Valid (happy path)') {
      await expect(page).toHaveURL(/dashboard/);
    } else {
      await expect(page.locator('.error')).toBeVisible();
    }
  });
}

Field Types and What Gets Generated Per Type

Each field type maps to a specific set of test values per category. Here is the reference for the most important field types and their edge-case behaviours:

Email

Email validation is notoriously hard to get right. RFC 5321 allows addresses up to 254 characters total, with a 64-character local part and a 255-character domain. Common validator mistakes include: rejecting valid plus-addressing (user+tag@example.com), rejecting subdomains, or accepting strings that are structurally valid but have no TLD. The Boundary max case sends a 254-character address to verify your validator handles the RFC limit, not an arbitrary shorter limit.

XSS payload for email: "><script>alert(1)</script>@x.com — this tests whether your application escapes the email value before rendering it in HTML (e.g., in a confirmation email preview or admin panel).

Number

The boundary and range cases use the exact min and max values you configure. The Invalid format case sends the string abc to test that your backend validates type, not just the frontend. The Special characters case sends 1e308 (larger than JavaScript's Number.MAX_VALUE) to test floating-point overflow. The Oversized case sends 309 digits — more than a 64-bit float can represent — to test integer overflow in server-side code.

Password

The Boundary minimum case sends exactly minLength characters, which is the most common place for off-by-one errors in password validators. The Unicode case sends P@$$w0rd™️🔐 — emoji in passwords are valid UTF-8 and should be accepted, but they cause issues with bcrypt implementations that silently truncate at 72 bytes (bcrypt's internal limit), meaning two passwords that look different might hash to the same value.

Select / dropdown

The most important test for select fields is the Invalid format case, which sends INVALID_OPTION — a value not in the options list. This tests whether your backend validates the enum value server-side, or whether it trusts the frontend select element. Frontend validation is bypassed trivially with browser DevTools or a direct API call; backend validation is mandatory.

Edge Cases Your Form Validation Should Handle

Beyond the 12 generated categories, here is a checklist of edge cases that break most custom validation logic:

  • Whitespace-only strings: " " passes if (value) checks in many languages because a non-empty string is truthy. Always trim and check length after trimming.
  • Zero-width characters: Unicode U+200B (zero-width space), U+200C (zero-width non-joiner), and U+200D (zero-width joiner) are invisible in most UIs but count as characters in string length. A username of "user​" (with zero-width space) and "user" look identical but are different strings.
  • Null bytes: The character U+0000 (null byte) terminates strings in C-based backends. Sending a null byte in a form field can truncate string values or bypass length checks in languages that use C string functions.
  • Newlines in single-line fields: Text inputs accept \n via programmatic input even when the browser UI shows one line. A first-name field containing a newline can break CSV exports, email headers (CRLF injection), and single-line database columns.
  • Surrogate pairs: Emoji like 😀 are encoded as surrogate pairs in UTF-16, so "😀".length === 2 in JavaScript despite being one visible character. A maxLength=10 validator using .length will allow 5 emoji (10 code units) even though the user sees only 5 characters, potentially overflowing a database column sized for 10 characters.
  • Right-to-left override character: U+202E forces right-to-left text direction for all following characters. Used in filenames and form fields to disguise gpj.exe as exe.jpg (reversed). Test especially on file name fields and user-display fields.
  • The number -0: In IEEE 754 floating point, -0 === 0 is true, but Object.is(-0, 0) is false. Some serializers produce "-0" in JSON; some parsers treat it as zero, others as a negative zero. Test number fields with -0 if your backend does financial or physics calculations.
  • Date edge cases: February 29 only exists in leap years. January 1, 1970 (Unix epoch) and December 31, 9999 (common max date) can trigger parsing errors in date libraries that don't handle extremes. Test date fields with 2024-02-29 (valid leap date), 2023-02-29 (invalid — 2023 is not a leap year), 1970-01-01, and 9999-12-31.

FAQ

Common questions

What is the difference between this tool and a mock data generator?

A mock data generator produces many rows of realistic-looking data for the same fields (e.g., 100 users). This tool produces 12 test case categories for the same fields — one row per scenario. The goal is not volume but coverage: valid input, invalid format, boundary values, security payloads, empty strings, and Unicode edge cases. Use mock data for database seeding; use this tool for writing test cases.

What are boundary minimum and maximum test cases?

Boundary testing (also called boundary value analysis) tests the exact edges of the allowed range, not just the middle. For a field with minLength=3 and maxLength=20, boundary min sends exactly 3 characters and boundary max sends exactly 20. These are the values most likely to expose off-by-one errors in validation logic — validators often fail at exactly the boundary while passing values just inside it.

Why does the tool generate XSS and SQL injection payloads?

Security fields are part of a complete form test suite. XSS payloads (like <script>alert(1)</script>) test whether your application escapes output properly before rendering it in HTML. SQL injection strings (like ' OR '1'='1) test whether your database queries use parameterized statements. These are the two most common injection vulnerabilities in web forms (OWASP Top 10). Always run these against a test environment, never against production.

How do I use the CSV export in Cypress or Playwright?

Download the CSV, place it in your test fixtures folder, then load it in your test: in Cypress use cy.fixture('test-data.csv') or a CSV parse library; in Playwright use fs.readFileSync and a CSV parser like papaparse. Each row in the CSV is one test case category. Iterate over rows with a data-driven test (cy.wrap or test.each in Playwright) to run all 12 scenarios automatically without hand-writing each case.

What does the "oversized" test case check?

The oversized case sends 10 000 characters (or 309 digits for number fields) to test that your application handles input longer than any reasonable real-world value. Validators that only check minimum length often forget maximum length. Databases with VARCHAR(255) columns will truncate or throw errors on oversized input. Some servers have default request body size limits (e.g., 1MB in Express) that oversized payloads can trigger.

Why is Unicode / emoji a separate test category?

Unicode characters expose a class of bugs that ASCII-only test data never surfaces: multi-byte UTF-8 sequences can break string length calculations (JavaScript's .length counts UTF-16 code units, not visual characters), right-to-left text can break UI layout, zero-width characters (U+200B, U+200C, U+200D) are invisible but still present, and some databases reject certain Unicode ranges depending on collation. Emoji like 😀 are encoded as surrogate pairs in UTF-16, which breaks naive string slicing.

Can I add custom field types not in the dropdown?

The current field types cover the most common HTML form inputs: text, email, password, number, phone, URL, date, select, textarea, and checkbox. Custom field types like IBAN, credit card, postcode, or colour pickers are not yet available. For these, use the "text" type with the appropriate min/max length constraints and supplement with manually written test cases for the format-specific rules.

Is any data I enter sent to a server?

No. The tool runs entirely in your browser using JavaScript. Field names, types, and constraints are never sent anywhere. You can verify this by opening DevTools → Network while using the tool — you will see zero outbound requests. The tool works offline.

More in QA & Testing

Mock Data Generator
Generate realistic fake data for testing
Live
CSS Selector Generator
Generate Playwright, Cypress, CSS, and XPath selectors from any HTML snippet
Live
API Assertion Builder
Paste JSON → get Jest, Playwright, pytest, and Supertest assertions
Live