I wanted to share a method I recently used to automatically sanitize all form inputs. I basically used this tutorial as the starting point:
https://www.chronoengine.com/faqs/54-cfv4/cfv4-validation/2675-how-can-i-sanitize-my-form-data.html
I decided to loop through all elements of the $form->data array, including sub arrays, and apply PHP's FILTER_SANITIZE_STRING, along with the custom xss_clean function from the tutorial. Below is the result.
https://www.chronoengine.com/faqs/54-cfv4/cfv4-validation/2675-how-can-i-sanitize-my-form-data.html
I decided to loop through all elements of the $form->data array, including sub arrays, and apply PHP's FILTER_SANITIZE_STRING, along with the custom xss_clean function from the tutorial. Below is the result.
<?php
//sanitize all form fields (Put this code in a custom code module at the top of the On Submit event for each form)
foreach ($form->data as $key=>$value) {
//check for subarrays...
if (!is_array($form->data[$key])) {
$form->data[$key]=filter_var($form->data[$key], FILTER_SANITIZE_STRING);
$form->data[$key]=xss_clean($form->data[$key]);
}else {
foreach ($form->data[$key] as $x=>$y) {
$form->data[$key][$x]=filter_var($form->data[$key][$x], FILTER_SANITIZE_STRING);
$form->data[$key][$x]=xss_clean($form->data[$key][$x]);
}
}
}
function xss_clean( $data ) {
// Fix &entity\n;
$data = str_replace( array( '&', '<', '>' ), array( '&', '<', '>' ), $data );
$data = preg_replace( '/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data );
$data = preg_replace( '/(&#x*[0-9A-F]+);*/iu', '$1;', $data );
$data = html_entity_decode( $data, ENT_COMPAT, 'UTF-8' );
// Remove any attribute starting with "on" or xmlns
$data = preg_replace( '#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data );
// Remove javascript: and vbscript: protocols
$data = preg_replace( '#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data );
$data = preg_replace( '#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data );
$data = preg_replace( '#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data );
// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace( '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data );
$data = preg_replace( '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data );
$data = preg_replace( '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data );
// Remove namespaced elements (we do not need them)
$data = preg_replace( '#</*\w+:\w[^>]*+>#i', '', $data );
do {
// Remove really unwanted tags
$old_data = $data;
$data = preg_replace( '#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data );
} while ( $old_data !== $data );
// we are done...
return $data;
}
?>
so whats the best way to add this to a form, simply to add it as custom code on submit would it be?
:roll: OK sorry I am just after seeing your comment in your php! 😶
anyone use this in chrono forms v6?
​
would I only need to change
​
​
to...
​
​
would I only need to change
​
​
$form->data​
to...
​
$this->dataor is there any other suggestions or functions that could be used?
Yep just replace all $form with $this
This topic is locked and no more replies can be posted.
