Solved

Regular expression for validating and/or filtering free text forms on the web?

Posted on 2010-09-03
5
363 Views
Last Modified: 2012-05-10
As I try to come up with such a thing, it strikes my mind that someone might have done it before?

I think of a Text Area in a web form - the user should be able to write as freely as possible without posing a security threat!

Example (php style):
$pattern="/^[\w\s]+$/";

-This would be a bit to hard on the user, as it'd only allow letters, numbers, whitespace and _ !

-Line breaks should also be allowed
0
Comment
Question by:davidsperling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 33597291
"\s" includes newlines, carriage returns, and vertical tabs in addition to spaces.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 33597306
Perhaps you should modify your pattern to check for what isn't allowed--namely the negation of what you currently have:
$pattern="/[^\w\s]/";

Open in new window

0
 
LVL 4

Author Comment

by:davidsperling
ID: 33597764
This is what I have right now in the beautiful language php (with ZF)..

/**
 * A validator to apply on general free text fields to avoid XSS etc...
 * http://framework.zend.com/manual/en/zend.validate.writing_validators.html
 */
class validator_ZendValidateFreeTextGeneral extends Zend_Validate_Abstract
{
    const ILLEGALTEXT='illegaltext';
    protected $_messageTemplates = array(
        self::ILLEGALTEXT => "Text contains forbidden characters."
    );

    public function isValid($value)
    {
        $pattern="/^[\w\s!?\-\.,&;åäöÅÄÖ]+$/";
        if(!preg_match($pattern, $value))
        {
            $this->_error();
            return false;
        }

        return true;
    }

}

Open in new window

0
 
LVL 13

Accepted Solution

by:
Carl Bohman earned 500 total points
ID: 33597802
>the user should be able to write as freely as possible without posing a security threat

There are a lot of different threats, depending on how you use the data.  In most cases of free-form text, you are safest by providing protection at the point where the data is being used.  Here are some examples:

If you are going to be adding the text to a URL, it will need to be escaped so that characters like =, &, ?, and white space (especially carriage return) don't cause issues.

If you are going to be displaying the text on a web page, then you need to watch out for characters like <, >, and &.

If you are going to be inserting the data into a database, then you need to worry about quote characters (' and ") that could be used to break out of the SQL statement and allow the user to run arbitrary SQL statements.  (Of course, there are better ways of protecting against this type of attack, such as using parameterized SQL statements.)

Unless you know exactly how the data is going to be used, it is difficult to determine a generic filter at time of entry.  You may also be leaving yourself open to attacks that figure out a way to bypass your validation routine.

If your intention really is to have free-form text, I would recommend sanitizing the data as needed at every point where you are using it.
0
 
LVL 13

Assisted Solution

by:Carl Bohman
Carl Bohman earned 500 total points
ID: 33597864
Some basic things not allowed by your code:
and/or
(parenthetical statements)
$currency
percentages%
simple+math=equations
"favorite quotes"
posessives: Mary's
contractions: don't
0

Featured Post

More Than Just A Video Library

Train for your certification. Learn the latest DevOps tools. Grow your skillset to do better work.

At Linux Academy, we release new training modules every week so you'll always be up to date on the latest tech.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question