filter htm code in a textarea field

In my former formprocessor a textarea field has been misused for spam and I do believe, that this will happen here too.

My question: Could the Alphanumeric validation be expanded (or a new validation group added) to reject htm code if desired?

Or, does anybody have php or javascript to handle this?

morio

Hi morio,

The code depends which version of Joomla you are using but, for example Joomla 1.5 has 'clean' methods for JRequest that will strip any possible code injection. For example

_cleanVar (line 534)

Clean up an input variable.
void _cleanVar (mixed $var, int $mask, [string $type = null])

* mixed $var: The input variable.
* int $mask: Filter bit mask. 1=no trim: If this flag is cleared and the input is a string, the string will have leading and trailing whitespace trimmed. 2=allow_raw: If set, no more filtering is performed, higher bits are ignored. 4=allow_html: HTML is allowed, but passed through a safe HTML filter first. If set, no more filtering is performed. If no bits other than the 1 bit is set, a strict filter is applied.
* string $type: The variable type {@see JFilterInput::clean()}.

Bob

Hi morio,

The code depends which version of Joomla you are using but, for example Joomla 1.5 has 'clean' methods for JRequest that will strip any possible code injection. For example

_cleanVar (line 534)

Bob

Bob, the site in question runs under Joomla! 1.0.14 Stable [ Daybreak ] 11 February 2008 00:00 UTC

greetings,
morio

Hi morio,

I don't know if there is an equivalent function in Joomla 1.0.x but it shouldn't be hard to find or build something similar. Check out strip_tags() and htmlspecialchars() in the the PHP manual.

Bob

Hi morio,

The code depends which version of Joomla you are using but, for example Joomla 1.5 has 'clean' methods for JRequest that will strip any possible code injection. For example

_cleanVar (line 534)

Clean up an input variable.
void _cleanVar (mixed $var, int $mask, [string $type = null])

* mixed $var: The input variable.
* int $mask: Filter bit mask. 1=no trim: If this flag is cleared and the input is a string, the string will have leading and trailing whitespace trimmed. 2=allow_raw: If set, no more filtering is performed, higher bits are ignored. 4=allow_html: HTML is allowed, but passed through a safe HTML filter first. If set, no more filtering is performed. If no bits other than the 1 bit is set, a strict filter is applied.
* string $type: The variable type {@see JFilterInput::clean()}.

Bob

hi there Bob

this I have desperately looking for this kind of code and my text areas are also being used to inject html...being novice at all this can you please give an example of how to use this code, where in the forms or in the chronoform interface will this code go into

Hi khalidkhan,

The place to do this is in the OnSubmit Before box.

<?php
$temp =& JRequest::getString('textarea_name', '', 'post');
JRequest::setVar('textarea_name', $temp);
?>

This will pass the input through the Joomla input filters.

I'm still learning about this, it seems that this protects against XSS threats from HTML but leaves open some MySQL risks. You can add an extra step to escape data that will be saved to the database:

<?php
$db =& JFactory::getDBO();
$temp =& JRequest::getString('textarea_name', '', 'post');
$temp = $db->getEscaped($temp);
JRequest::setVar('textarea_name', $temp);
?>

Bob

thanks bob, you rock, I will test this code and get back to you with good news 😀 😀 😀 good karma for you....

Thanks from me too bob. Just stuffed both those snippets in to my mail form.

Hi gemlog,

Just for tidiness you only need the second one - it includes the code from the first.

Bob

Yes, I just combined them together and repeated for each input field. It doesn't kill email addresses. That's what I was worried about. I test out ok using it.