Uniform security

Visitors often paste from editors in form input fields. This results in pasted Carriage Returns and Line Feeds in the input field. Not allowing this causes many people not getting past the validation.

Is it secure to allow these in a Uniform input field?

It is often not possible to validate input from textarea fields (or other free text inputs) in forms (as opposed to input from URL or email fields, for example).

Therefore, you have to clean this user input in your form handler.

There are basically two ways to treat this that go hand in hand:

  • Clean user input before actually storing it, so that you make sure you only store the kind of data you want to store.

  • Escape user generated input when outputting it again (in templates, snippets, email templates etc.)

Thanks for the advice, texnixe!

Actually the content is mailed with the Uniform emailAction method and I was worried about mail header injections or other nastyness (not knowing enough about this). I searched the Uniform documentation on how to clean the input, but couldn’t find it.

At least new lines in the subject are removed as you can see here:

Note that you can create your own actions and definitely your own email snippets where you can additionally escape input.

In general, the plugin should be pretty secure, though, as far as I know

Thanks again Texnixe, this helps a lot :smile:

Just some additional info in case others might have the same concern.
I decided to use a regex to specify some forbidden characters:

'rules' => ['required', 'match' => '/^[^forbidden characters]+$/'] 

By specifying forbidden characters [^] instead of allowed, visitors now pass validation even when pasting from Word and there is still some added security. Also simply adding two forward slashes here helps blocking spam (because of the urls which are often found inside spam messages).