ChronoformsV4 - Joomla 2.5
When someone fills in the textarea in the form and there is an abbreviation in the text I get the abbreviation (eg: vr.gr) as a link: vr.gr I don't want it to be possible to send links or emailaddresses (or code!) in the textarea.
Did I oversee a possibility to prevend that in chronoforms or is it not there? I couldn't find anything in the tutorials or forums.
Annabelle
When someone fills in the textarea in the form and there is an abbreviation in the text I get the abbreviation (eg: vr.gr) as a link: vr.gr I don't want it to be possible to send links or emailaddresses (or code!) in the textarea.
Did I oversee a possibility to prevend that in chronoforms or is it not there? I couldn't find anything in the tutorials or forums.
Annabelle
Hi Annabelle,
There is nothing in ChronoForms that adds links or removes them. You can filter the data after the form is submitted to remove anything that you don't want. Use a Custom Code action with a Joomla! or PHP filter function.
Bob
There is nothing in ChronoForms that adds links or removes them. You can filter the data after the form is submitted to remove anything that you don't want. Use a Custom Code action with a Joomla! or PHP filter function.
Bob
Thank you Bob,
Under Events->Core Actions-> I found the Custom Code and I dragged it right beneath the On Submit. After that I was lost… I searched the internet for code to fill in on the proper field but couldn't find anything. I'm blank as far as php-code is concerned.😶 Could you please point me in the right direction?
Regards,
Annabelle
Under Events->Core Actions-> I found the Custom Code and I dragged it right beneath the On Submit. After that I was lost… I searched the internet for code to fill in on the proper field but couldn't find anything. I'm blank as far as php-code is concerned.😶 Could you please point me in the right direction?
Regards,
Annabelle
Hi Annabelle,
Please see this FAQ where you'll find some more suggestions for cleaning or filtering form data.
Bob
Please see this FAQ where you'll find some more suggestions for cleaning or filtering form data.
Bob
Hello Bob,
Thanks for the link.
I understand this part very well: ChronoForms does no server filtering, sanitization or validation on submitted form data by default.
I understand this too: This has pluses and minuses. On the minus side, there is a risk of corrupt, unwanted or malicious content being posted.
And because of the minus side I want to protect my website. And in order to do so I need to have knowledge I don't have. (don't blame me for not knowing) I realy tried to understand the action I need to take to protect the form and the website but I just don't have a clue.
I would love to buy you a beer but I'm afraid I need more help than a link🤣
I apologize for my directness :wink:
Regards,
Annabelle
Thanks for the link.
I understand this part very well: ChronoForms does no server filtering, sanitization or validation on submitted form data by default.
I understand this too: This has pluses and minuses. On the minus side, there is a risk of corrupt, unwanted or malicious content being posted.
And because of the minus side I want to protect my website. And in order to do so I need to have knowledge I don't have. (don't blame me for not knowing) I realy tried to understand the action I need to take to protect the form and the website but I just don't have a clue.
I would love to buy you a beer but I'm afraid I need more help than a link🤣
I apologize for my directness :wink:
Regards,
Annabelle
Hi Annabelle,
The rest of the FAQ after the part you quoted has the 'How to' instructions, including some examples and links to the Joomla! and PHP documents. If these aren't enough then you my need help from someone with more coding experience :-(
If you post here the name of the form element you want to filter and exactly how you want to filter it than I will try to find time to post something more specific for you.
Bob
The rest of the FAQ after the part you quoted has the 'How to' instructions, including some examples and links to the Joomla! and PHP documents. If these aren't enough then you my need help from someone with more coding experience :-(
If you post here the name of the form element you want to filter and exactly how you want to filter it than I will try to find time to post something more specific for you.
Bob
Hi Bob,
Thank you very much for your offer to help me!
I have 3 Text Box elements: naam, email, onderwerp
I have one Text Area: bericht
Needed filters or sanitization:
For all 4 elements: no possibility to put in anything else than 'normal' text. So no links, no email-addresses (except 1 in the emailbox of course :wink: ) no HTML-code, no PHP-code or Java or whatever input possible that is a risk of corrupt, unwanted or malicious content being posted that may cause damage to the website.
Is this enough information for you?
Regards,
Annabelle
Thank you very much for your offer to help me!
I have 3 Text Box elements: naam, email, onderwerp
I have one Text Area: bericht
Needed filters or sanitization:
For all 4 elements: no possibility to put in anything else than 'normal' text. So no links, no email-addresses (except 1 in the emailbox of course :wink: ) no HTML-code, no PHP-code or Java or whatever input possible that is a risk of corrupt, unwanted or malicious content being posted that may cause damage to the website.
Is this enough information for you?
Regards,
Annabelle
Hi Annabelle,
If you want absolute security then you will need to do some work on your site. It really depends on how much at risk you think your forms are. For most sites this will cover your day-to-day needs:
<?php
$form->data['input_name'] = filter_var($form->data['input_name'], FILTER_SANITIZE_STRING);
// . . . repeat for other inputs
?>
This code goes into a Custom Code action on the On Submit event after any anti-spam checkers you have.
But note that this PHP filter isn't perfect. There are other, more effective filters that you can use; there's a xss_clean() function in this StackOverFlow post and there is also a link to the HTML Purifier library which would need to be installed on your site if you think that level of protection is necessary.
Bob
PS I've updated the Sanitize FAQ to include more of this information
If you want absolute security then you will need to do some work on your site. It really depends on how much at risk you think your forms are. For most sites this will cover your day-to-day needs:
<?php
$form->data['input_name'] = filter_var($form->data['input_name'], FILTER_SANITIZE_STRING);
// . . . repeat for other inputs
?>
This code goes into a Custom Code action on the On Submit event after any anti-spam checkers you have.
But note that this PHP filter isn't perfect. There are other, more effective filters that you can use; there's a xss_clean() function in this StackOverFlow post and there is also a link to the HTML Purifier library which would need to be installed on your site if you think that level of protection is necessary.
Bob
PS I've updated the Sanitize FAQ to include more of this information
Hi Bob,
Thank you very much for your help!😀 I did exactly as described and now it is not possible anymore to make an input in the fields using HTML-code. That's a great relief!
I made a second Custom Code with the xss_clean() function as described under "advanced filtering" in the FAQs and I've put it beneath the first Custom Code. That did not prevend that the urls were shown in the test-area or input-fields.
Was that wrong? Probably that script takes care of something else? Do I need both? Or did I do something stupid? :?
Friendly regards,
Ingrid
Thank you very much for your help!😀 I did exactly as described and now it is not possible anymore to make an input in the fields using HTML-code. That's a great relief!
I made a second Custom Code with the xss_clean() function as described under "advanced filtering" in the FAQs and I've put it beneath the first Custom Code. That did not prevend that the urls were shown in the test-area or input-fields.
Was that wrong? Probably that script takes care of something else? Do I need both? Or did I do something stupid? :?
Friendly regards,
Ingrid
Hi Annabelle,
To use xss_clean() the code would look like this:
or alternatively
Bob
To use xss_clean() the code would look like this:
<?php
$form->data['input_name'] = xss_clean($form->data['input_name']);
$form->data['another_input_name'] = xss_clean($form->data['another_input_name']);
xss_clean() {
// . . . function code goes here
}
?>or alternatively
<?php
$clean_array = array(
'input_name',
'another_input_name'
);
foreach ( $clean_array as $v ) {
$form->data[$v] = xss_clean($form->data[$v]);
}
xss_clean() {
// . . . function code goes here
}
?>Bob
Hi Bob,
Thank you for your quick response.
I rewrote the second Custom Code with this:
Now tested the contactform and I put an url in the field 'naam' or 'onderwerp'(subject) or in the textarea 'bericht' the message still shows the url as sender, subject and message.
What went wrong? I mean: what did I do wrong?😶
Friendly regards,
Annabelle
Thank you for your quick response.
I rewrote the second Custom Code with this:
<?php
$clean_array = array(
'naam',
'email'
'onderwerp',
'bericht'
);
foreach ( $clean_array as $v ) {
$form->data[$v] = xss_clean($form->data[$v]);
}
xss_clean() {
function xss_clean($data)
{
// Fix &entity\n;
$data = str_replace(array('&','<','>'), array('&','<','>'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);
// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);
// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);
do {
// Remove really unwanted tags
$old_data = $data;
$data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
} while ($old_data !== $data);
// we are done...
return $data;
}
}
?>
Now tested the contactform and I put an url in the field 'naam' or 'onderwerp'(subject) or in the textarea 'bericht' the message still shows the url as sender, subject and message.
What went wrong? I mean: what did I do wrong?😶
Friendly regards,
Annabelle
Hi Annabelle,
Sorry, I misled you :-( Please remove this line xss_clean() { and the second } at the end.
Bob
Sorry, I misled you :-( Please remove this line xss_clean() { and the second } at the end.
Bob
Hi Bob,
I just removed it and now it looks like this:
I tested the form and the urls keep coming in... :?
Friendly regards,
Annabelle
I just removed it and now it looks like this:
<?php
$clean_array = array(
'naam',
'email'
'onderwerp',
'bericht'
);
foreach ( $clean_array as $v ) {
$form->data[$v] = xss_clean($form->data[$v]);
}
function xss_clean($data)
{
// Fix &entity\n;
$data = str_replace(array('&','<','>'), array('&','<','>'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);
// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);
// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);
do {
// Remove really unwanted tags
$old_data = $data;
$data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
} while ($old_data !== $data);
// we are done...
return $data;
}
?>
I tested the form and the urls keep coming in... :?
Friendly regards,
Annabelle
Hi Annabelle,
The code looks OK. By all means email or PM me the site URL and a SuperAdmin login and I'll take a quick look.
Bob
The code looks OK. By all means email or PM me the site URL and a SuperAdmin login and I'll take a quick look.
Bob
Hi Annabelle,
There was a comma missing after 'email',
But, even so the xss_clean code didn't remove <a> tags so I combined the two like this:
Bob
There was a comma missing after 'email',
But, even so the xss_clean code didn't remove <a> tags so I combined the two like this:
<?php
$clean_array = array(
'naam',
'email',
'onderwerp',
'bericht'
);
foreach ( $clean_array as $v ) {
$form->data[$v] = filter_var($form->data[$v], FILTER_SANITIZE_STRING);
$form->data[$v] = xss_clean( $form->data[$v] );
}
function xss_clean( $data ) {
// Fix &entity\n;
$data = str_replace( array( '&', '<', '>' ), array( '&', '<', '>' ), $data );
$data = preg_replace( '/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data );
$data = preg_replace( '/(&#x*[0-9A-F]+);*/iu', '$1;', $data );
$data = html_entity_decode( $data, ENT_COMPAT, 'UTF-8' );
// Remove any attribute starting with "on" or xmlns
$data = preg_replace( '#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data );
// Remove javascript: and vbscript: protocols
$data = preg_replace( '#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data );
$data = preg_replace( '#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data );
$data = preg_replace( '#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data );
// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace( '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data );
$data = preg_replace( '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data );
$data = preg_replace( '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data );
// Remove namespaced elements (we do not need them)
$data = preg_replace( '#</*\w+:\w[^>]*+>#i', '', $data );
do {
// Remove really unwanted tags
$old_data = $data;
$data = preg_replace( '#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data );
} while ( $old_data !== $data );
// we are done...
return $data;
}
?>
Bob
Hi Bob,
I am speechless!! You have put so much effort in it. Thank you very, very much! I would never have been able to get to this result. You made me a happy person 😀 and I 'll gladly buy you a 1/4 keg of beer!
Cheers and many thanks!
Annabelle
I am speechless!! You have put so much effort in it. Thank you very, very much! I would never have been able to get to this result. You made me a happy person 😀 and I 'll gladly buy you a 1/4 keg of beer!
Cheers and many thanks!
Annabelle
This topic is locked and no more replies can be posted.
