• Resolved arlingtoner

    (@arlingtoner)


    Using WP Forms Lite 1.7.1.2, I have a form that has a one-line text box. There are a number of characters that are illegal for that field and, as I don’t see a way to make a mask that allows only the legal characters anywhere in the field, I’ve hooked ‘wpforms_process’ with my own check after the form’s Submit button is clicked:

    if ( !preg_match("/^[\-_' a-zA-Z0-9]+$/", $fields[1]['value']) )
    			{
    				wpforms()->process->errors[TSGL_SQ_ID]['1'] = esc_html__("Illegal character(s) in search text.", 'tsglma-ttrequest');
    			}
    			break;

    That seems to work, for example (without the quotes) “Yee?Daltas” is disallowed, as is “%” and “Yee%D”. However, “Yee%Daltas” is entered successfully. The reason is that the code above sees the string “Yeeltas”, not “Yee%Daltas”, which passes the regular expression test. The implication is that your code is filtering “%Da” out of the field before my code gets to it. Why? And, is there anything I can do about it?

    Eric Baatz

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter arlingtoner

    (@arlingtoner)

    Looking at my message on the forum gives what is probably a big hint. Its title is supposed to be ‘Mysterious “%Da”‘ (Mysterious, double quote, percent sign, uppercase D, lowercase a, double quote) but I see only ‘Mysterious “”‘ (Mysterious, double quote, double quote). Some sort of HTML filtering?

    Plugin Support Kenneth Macharia

    (@kmacharia)

    Hey @arlingtoner,

    Thanks for reaching out and sorry for the trouble there!

    We use the sanitize_text_field() function to sanitize all inputs that are entered through the form. This function helps to strip out unsafe ANSII symbols and protect your site from SQL injection.

    As you have noticed, the form in this forum also uses the same function to protect against the same unsafe characters.

    I hope this helps!

    Thanks ??

    Thread Starter arlingtoner

    (@arlingtoner)

    Thanks for the clear answer. And while I do appreciate protection from SQL injection and the like…

    1. Is there documentation that I missed about the form field that warned/told me about that behavior? If not, it would be nice to have such documentation.

    2. You folks doing anything else I don’t know about with user input? It seems like I don’t have to do anything to protect against SQL injection because you’re doing it. Anything else I don’t have to do?

    3. Is it possible to have your filtering occur after I have my shot at messing with the user input, that is, execution-wise, move you code after the hook I use to do my error checking?

    Plugin Support Kenneth Macharia

    (@kmacharia)

    Hey @arlingtoner,

    Thanks for the questions.

    1. Sorry, we don’t currently have this documented. I’ve made a note of this and we’ll keep it on our radar to be reviewed as we plan out our future documentation. Thank you for the suggestion!

    2. We also use the DOMPurify to sanitize HTML and protect against other XSS attacks. We try as best as we can to follow WP standards during development.

    3. There are filters you could use in sanitize_text_field() to modify how items are sanitized and stored but this would require a bit of investigation to work with our plugin.

    I apologize as customizations like this are outside of our scope for support. In case you’d like to look into custom development options, we highly recommend using Codeable.

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Mysterious “”’ is closed to new replies.