Home Downloads Forums Shop FAQs Blog Contact Demo Login

ChronoForms v8 is now WordPress ready, ChronoMails is out

The JED needs volunteers!

Forums

unwanted link in textarea

An
Annabelle 16 Feb, 2013
ChronoformsV4 - Joomla 2.5
When someone fills in the textarea in the form and there is an abbreviation in the text I get the abbreviation (eg: vr.gr) as a link: vr.gr I don't want it to be possible to send links or emailaddresses (or code!) in the textarea.
Did I oversee a possibility to prevend that in chronoforms or is it not there? I couldn't find anything in the tutorials or forums.
Annabelle
Gr
GreyHead 16 Feb, 2013
Hi Annabelle,

There is nothing in ChronoForms that adds links or removes them. You can filter the data after the form is submitted to remove anything that you don't want. Use a Custom Code action with a Joomla! or PHP filter function.

Bob
An
Annabelle 16 Feb, 2013
Thank you Bob,

Under Events->Core Actions-> I found the Custom Code and I dragged it right beneath the On Submit. After that I was lost… I searched the internet for code to fill in on the proper field but couldn't find anything. I'm blank as far as php-code is concerned.😶 Could you please point me in the right direction?

Regards,
Annabelle
Gr
GreyHead 17 Feb, 2013
Hi Annabelle,

Please see this FAQ where you'll find some more suggestions for cleaning or filtering form data.

Bob
An
Annabelle 18 Feb, 2013
Hello Bob,
Thanks for the link.

I understand this part very well: ChronoForms does no server filtering, sanitization or validation on submitted form data by default.

I understand this too: This has pluses and minuses. On the minus side, there is a risk of corrupt, unwanted or malicious content being posted.

And because of the minus side I want to protect my website. And in order to do so I need to have knowledge I don't have. (don't blame me for not knowing) I realy tried to understand the action I need to take to protect the form and the website but I just don't have a clue.
I would love to buy you a beer but I'm afraid I need more help than a link🤣
I apologize for my directness :wink:

Regards,
Annabelle
Gr
GreyHead 18 Feb, 2013
Hi Annabelle,

The rest of the FAQ after the part you quoted has the 'How to' instructions, including some examples and links to the Joomla! and PHP documents. If these aren't enough then you my need help from someone with more coding experience :-(

If you post here the name of the form element you want to filter and exactly how you want to filter it than I will try to find time to post something more specific for you.

Bob
An
Annabelle 18 Feb, 2013
Hi Bob,
Thank you very much for your offer to help me!
I have 3 Text Box elements: naam, email, onderwerp
I have one Text Area: bericht

Needed filters or sanitization:
For all 4 elements: no possibility to put in anything else than 'normal' text. So no links, no email-addresses (except 1 in the emailbox of course :wink: ) no HTML-code, no PHP-code or Java or whatever input possible that is a risk of corrupt, unwanted or malicious content being posted that may cause damage to the website.

Is this enough information for you?

Regards,
Annabelle
Gr
GreyHead 20 Feb, 2013
Hi Annabelle,

If you want absolute security then you will need to do some work on your site. It really depends on how much at risk you think your forms are. For most sites this will cover your day-to-day needs:
<?php
$form->data['input_name'] = filter_var($form->data['input_name'], FILTER_SANITIZE_STRING);
// . . . repeat for other inputs
?>
This code goes into a Custom Code action on the On Submit event after any anti-spam checkers you have.

But note that this PHP filter isn't perfect. There are other, more effective filters that you can use; there's a xss_clean() function in this StackOverFlow post and there is also a link to the HTML Purifier library which would need to be installed on your site if you think that level of protection is necessary.

Bob

PS I've updated the Sanitize FAQ to include more of this information
An
Annabelle 20 Feb, 2013
Hi Bob,

Thank you very much for your help!😀 I did exactly as described and now it is not possible anymore to make an input in the fields using HTML-code. That's a great relief!

I made a second Custom Code with the xss_clean() function as described under "advanced filtering" in the FAQs and I've put it beneath the first Custom Code. That did not prevend that the urls were shown in the test-area or input-fields.

Was that wrong? Probably that script takes care of something else? Do I need both? Or did I do something stupid? :?

Friendly regards,
Ingrid
Gr
GreyHead 20 Feb, 2013
Hi Annabelle,

To use xss_clean() the code would look like this:
<?php
$form->data['input_name'] = xss_clean($form->data['input_name']);
$form->data['another_input_name'] = xss_clean($form->data['another_input_name']);
xss_clean() {
  // . . .  function code goes here
}
?>

or alternatively
<?php
$clean_array = array(
  'input_name',
  'another_input_name'
);
foreach ( $clean_array as $v ) {
  $form->data[$v] = xss_clean($form->data[$v]);
}
xss_clean() {
  // . . .  function code goes here
}
?>

Bob
An
Annabelle 20 Feb, 2013
Hi Bob,

Thank you for your quick response.
I rewrote the second Custom Code with this: 
<?php
$clean_array = array(
  'naam',
  'email'
  'onderwerp',
  'bericht'
);
foreach ( $clean_array as $v ) {
  $form->data[$v] = xss_clean($form->data[$v]);
}
xss_clean() {
function xss_clean($data)
{
  // Fix &entity\n;
  $data = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $data);
  $data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
  $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
  $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

  // Remove any attribute starting with "on" or xmlns 
  $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

  // Remove javascript: and vbscript: protocols
  $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
  $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
  $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

  // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
  $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
  $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
  $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

  // Remove namespaced elements (we do not need them)
  $data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

  do {
    // Remove really unwanted tags
    $old_data = $data;
    $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
  } while ($old_data !== $data);

  // we are done...
  return $data;
}
}
?>

Now tested the contactform and I put an url in the field 'naam' or 'onderwerp'(subject) or in the textarea 'bericht' the message still shows the url as sender, subject and message.
What went wrong? I mean: what did I do wrong?😶
Friendly regards,
Annabelle
Gr
GreyHead 20 Feb, 2013
Hi Annabelle,

Sorry, I misled you :-( Please remove this line xss_clean() { and the second } at the end.

Bob
An
Annabelle 20 Feb, 2013
Hi Bob,
I just removed it and now it looks like this:

    <?php
    $clean_array = array(
      'naam',
      'email'
      'onderwerp',
      'bericht'
    );
    foreach ( $clean_array as $v ) {
      $form->data[$v] = xss_clean($form->data[$v]);
    }
        function xss_clean($data)
    {
      // Fix &entity\n;
      $data = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $data);
      $data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
      $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
      $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

      // Remove any attribute starting with "on" or xmlns
      $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

      // Remove javascript: and vbscript: protocols
      $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
      $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
      $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

      // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
      $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
      $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
      $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

      // Remove namespaced elements (we do not need them)
      $data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

      do {
        // Remove really unwanted tags
        $old_data = $data;
        $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
      } while ($old_data !== $data);

      // we are done...
      return $data;
    }
      ?>

I tested the form and the urls keep coming in... :?
Friendly regards,
Annabelle
Gr
GreyHead 20 Feb, 2013
Hi Annabelle,

The code looks OK. By all means email or PM me the site URL and a SuperAdmin login and I'll take a quick look.

Bob
Gr
GreyHead 21 Feb, 2013
Hi Annabelle,

There was a comma missing after 'email',

But, even so the xss_clean code didn't remove <a> tags so I combined the two like this:
<?php
$clean_array = array(
  'naam',
  'email',
  'onderwerp',
  'bericht'
);
foreach ( $clean_array as $v ) {
  $form->data[$v] = filter_var($form->data[$v], FILTER_SANITIZE_STRING);
  $form->data[$v] = xss_clean( $form->data[$v] );
}
function xss_clean( $data ) {
  // Fix &entity\n;
  $data = str_replace( array( '&', '<', '>' ), array( '&amp;', '&lt;', '&gt;' ), $data );
  $data = preg_replace( '/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data );
  $data = preg_replace( '/(&#x*[0-9A-F]+);*/iu', '$1;', $data );
  $data = html_entity_decode( $data, ENT_COMPAT, 'UTF-8' );

  // Remove any attribute starting with "on" or xmlns
  $data = preg_replace( '#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data );

  // Remove javascript: and vbscript: protocols
  $data = preg_replace( '#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data );
  $data = preg_replace( '#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data );
  $data = preg_replace( '#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data );

  // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
  $data = preg_replace( '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data );
  $data = preg_replace( '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data );
  $data = preg_replace( '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data );

  // Remove namespaced elements (we do not need them)
  $data = preg_replace( '#</*\w+:\w[^>]*+>#i', '', $data );

  do {
    // Remove really unwanted tags
    $old_data = $data;
    $data = preg_replace( '#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data );
  } while ( $old_data !== $data );

  // we are done...
  return $data;
}
?>

Bob
An
Annabelle 21 Feb, 2013
Hi Bob,

I am speechless!! You have put so much effort in it. Thank you very, very much! I would never have been able to get to this result. You made me a happy person 😀 and I 'll gladly buy you a 1/4 keg of beer!

Cheers and many thanks!
Annabelle
Gr
GreyHead 21 Feb, 2013
Hi Annabelle,

Thanks, we'll always try to help when the question is one that is useful to other users (which covers many things except for custom coding).

Bob
This topic is locked and no more replies can be posted.
Terms of Use Privacy Policy Business Partners

2Checkout.com

2CheckOut.com Inc. (Ohio, USA) is an authorized retailer for goods and services provided by ChronoEngine.com

© 2006 - 2024 ChronoEngine.com