Solved

Regular expression for validating and/or filtering free text forms on the web?

Posted on 2010-09-03
5
358 Views
Last Modified: 2012-05-10
As I try to come up with such a thing, it strikes my mind that someone might have done it before?

I think of a Text Area in a web form - the user should be able to write as freely as possible without posing a security threat!

Example (php style):
$pattern="/^[\w\s]+$/";

-This would be a bit to hard on the user, as it'd only allow letters, numbers, whitespace and _ !

-Line breaks should also be allowed
0
Comment
Question by:davidsperling
  • 2
  • 2
5 Comments
 
LVL 74

Expert Comment

by:käµfm³d 👽
ID: 33597291
"\s" includes newlines, carriage returns, and vertical tabs in addition to spaces.
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
ID: 33597306
Perhaps you should modify your pattern to check for what isn't allowed--namely the negation of what you currently have:
$pattern="/[^\w\s]/";

Open in new window

0
 
LVL 4

Author Comment

by:davidsperling
ID: 33597764
This is what I have right now in the beautiful language php (with ZF)..

/**
 * A validator to apply on general free text fields to avoid XSS etc...
 * http://framework.zend.com/manual/en/zend.validate.writing_validators.html
 */
class validator_ZendValidateFreeTextGeneral extends Zend_Validate_Abstract
{
    const ILLEGALTEXT='illegaltext';
    protected $_messageTemplates = array(
        self::ILLEGALTEXT => "Text contains forbidden characters."
    );

    public function isValid($value)
    {
        $pattern="/^[\w\s!?\-\.,&;åäöÅÄÖ]+$/";
        if(!preg_match($pattern, $value))
        {
            $this->_error();
            return false;
        }

        return true;
    }

}

Open in new window

0
 
LVL 13

Accepted Solution

by:
Carl Bohman earned 500 total points
ID: 33597802
>the user should be able to write as freely as possible without posing a security threat

There are a lot of different threats, depending on how you use the data.  In most cases of free-form text, you are safest by providing protection at the point where the data is being used.  Here are some examples:

If you are going to be adding the text to a URL, it will need to be escaped so that characters like =, &, ?, and white space (especially carriage return) don't cause issues.

If you are going to be displaying the text on a web page, then you need to watch out for characters like <, >, and &.

If you are going to be inserting the data into a database, then you need to worry about quote characters (' and ") that could be used to break out of the SQL statement and allow the user to run arbitrary SQL statements.  (Of course, there are better ways of protecting against this type of attack, such as using parameterized SQL statements.)

Unless you know exactly how the data is going to be used, it is difficult to determine a generic filter at time of entry.  You may also be leaving yourself open to attacks that figure out a way to bypass your validation routine.

If your intention really is to have free-form text, I would recommend sanitizing the data as needed at every point where you are using it.
0
 
LVL 13

Assisted Solution

by:Carl Bohman
Carl Bohman earned 500 total points
ID: 33597864
Some basic things not allowed by your code:
and/or
(parenthetical statements)
$currency
percentages%
simple+math=equations
"favorite quotes"
posessives: Mary's
contractions: don't
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This video teaches users how to migrate an existing Wordpress website to a new domain.
The viewer will learn how to dynamically set the form action using jQuery.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now