?
Solved

Regular expression for validating and/or filtering free text forms on the web?

Posted on 2010-09-03
5
Medium Priority
?
364 Views
Last Modified: 2012-05-10
As I try to come up with such a thing, it strikes my mind that someone might have done it before?

I think of a Text Area in a web form - the user should be able to write as freely as possible without posing a security threat!

Example (php style):
$pattern="/^[\w\s]+$/";

-This would be a bit to hard on the user, as it'd only allow letters, numbers, whitespace and _ !

-Line breaks should also be allowed
0
Comment
Question by:davidsperling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 33597291
"\s" includes newlines, carriage returns, and vertical tabs in addition to spaces.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 33597306
Perhaps you should modify your pattern to check for what isn't allowed--namely the negation of what you currently have:
$pattern="/[^\w\s]/";

Open in new window

0
 
LVL 4

Author Comment

by:davidsperling
ID: 33597764
This is what I have right now in the beautiful language php (with ZF)..

/**
 * A validator to apply on general free text fields to avoid XSS etc...
 * http://framework.zend.com/manual/en/zend.validate.writing_validators.html
 */
class validator_ZendValidateFreeTextGeneral extends Zend_Validate_Abstract
{
    const ILLEGALTEXT='illegaltext';
    protected $_messageTemplates = array(
        self::ILLEGALTEXT => "Text contains forbidden characters."
    );

    public function isValid($value)
    {
        $pattern="/^[\w\s!?\-\.,&;åäöÅÄÖ]+$/";
        if(!preg_match($pattern, $value))
        {
            $this->_error();
            return false;
        }

        return true;
    }

}

Open in new window

0
 
LVL 13

Accepted Solution

by:
Carl Bohman earned 2000 total points
ID: 33597802
>the user should be able to write as freely as possible without posing a security threat

There are a lot of different threats, depending on how you use the data.  In most cases of free-form text, you are safest by providing protection at the point where the data is being used.  Here are some examples:

If you are going to be adding the text to a URL, it will need to be escaped so that characters like =, &, ?, and white space (especially carriage return) don't cause issues.

If you are going to be displaying the text on a web page, then you need to watch out for characters like <, >, and &.

If you are going to be inserting the data into a database, then you need to worry about quote characters (' and ") that could be used to break out of the SQL statement and allow the user to run arbitrary SQL statements.  (Of course, there are better ways of protecting against this type of attack, such as using parameterized SQL statements.)

Unless you know exactly how the data is going to be used, it is difficult to determine a generic filter at time of entry.  You may also be leaving yourself open to attacks that figure out a way to bypass your validation routine.

If your intention really is to have free-form text, I would recommend sanitizing the data as needed at every point where you are using it.
0
 
LVL 13

Assisted Solution

by:Carl Bohman
Carl Bohman earned 2000 total points
ID: 33597864
Some basic things not allowed by your code:
and/or
(parenthetical statements)
$currency
percentages%
simple+math=equations
"favorite quotes"
posessives: Mary's
contractions: don't
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question