Regular expression for validating and/or filtering free text forms on the web?

As I try to come up with such a thing, it strikes my mind that someone might have done it before?

I think of a Text Area in a web form - the user should be able to write as freely as possible without posing a security threat!

Example (php style):
$pattern="/^[\w\s]+$/";

-This would be a bit to hard on the user, as it'd only allow letters, numbers, whitespace and _ !

-Line breaks should also be allowed
LVL 4
davidsperlingAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Carl BohmanConnect With a Mentor Commented:
>the user should be able to write as freely as possible without posing a security threat

There are a lot of different threats, depending on how you use the data.  In most cases of free-form text, you are safest by providing protection at the point where the data is being used.  Here are some examples:

If you are going to be adding the text to a URL, it will need to be escaped so that characters like =, &, ?, and white space (especially carriage return) don't cause issues.

If you are going to be displaying the text on a web page, then you need to watch out for characters like <, >, and &.

If you are going to be inserting the data into a database, then you need to worry about quote characters (' and ") that could be used to break out of the SQL statement and allow the user to run arbitrary SQL statements.  (Of course, there are better ways of protecting against this type of attack, such as using parameterized SQL statements.)

Unless you know exactly how the data is going to be used, it is difficult to determine a generic filter at time of entry.  You may also be leaving yourself open to attacks that figure out a way to bypass your validation routine.

If your intention really is to have free-form text, I would recommend sanitizing the data as needed at every point where you are using it.
0
 
käµfm³d 👽Commented:
"\s" includes newlines, carriage returns, and vertical tabs in addition to spaces.
0
 
käµfm³d 👽Commented:
Perhaps you should modify your pattern to check for what isn't allowed--namely the negation of what you currently have:
$pattern="/[^\w\s]/";

Open in new window

0
 
davidsperlingAuthor Commented:
This is what I have right now in the beautiful language php (with ZF)..

/**
 * A validator to apply on general free text fields to avoid XSS etc...
 * http://framework.zend.com/manual/en/zend.validate.writing_validators.html
 */
class validator_ZendValidateFreeTextGeneral extends Zend_Validate_Abstract
{
    const ILLEGALTEXT='illegaltext';
    protected $_messageTemplates = array(
        self::ILLEGALTEXT => "Text contains forbidden characters."
    );

    public function isValid($value)
    {
        $pattern="/^[\w\s!?\-\.,&;åäöÅÄÖ]+$/";
        if(!preg_match($pattern, $value))
        {
            $this->_error();
            return false;
        }

        return true;
    }

}

Open in new window

0
 
Carl BohmanConnect With a Mentor Commented:
Some basic things not allowed by your code:
and/or
(parenthetical statements)
$currency
percentages%
simple+math=equations
"favorite quotes"
posessives: Mary's
contractions: don't
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.