Validation of textareas in bluesprints

In a blueprint I have a textarea like this:


            label: Short description
            placeholder: Short Description
            required: true
            type: textarea

How can I validate the input of users?
What I would like to do is to use a regular expression like this one:

  match: "/^[A-Za-zÄÖÜäöüß0-9_,.;:&!()=?*+#]+$/"

However, this does only work for text fields. Neither works:

pattern : "/^[A-Za-zÄÖÜäöüß0-9_,.;:&!()=?*+#]+$/"

How can I add validation to textareas for panel users?

I have not tested it, so it is just a guess: Maybe, you might have to add the “multiline” modifier to the regex, since your current syntax finds only certain characters between the start and the end of the string. Or, you might have to add the EOL characters “\n” and “\r” to the allowed list of characters. Or it might be, that you have add both :wink: Just try all three variants…

Thank you a lot for thinking about how to improve the regualr expression!
However, in the case of textarea fields in blueprints there seems to be no way to validate the input of users. In case of other field types you can validate the users input with given field properties (e.g. a number field with the property min or a text field with property pattern). The textarea field hasn’t got such properties.

Thus, a user of the panel can currently input malicious content in the textarea field (e.g. html-tags, javascript code etc.). This is a security risk. Accoringly, I would like to check the user input before saving. At least the validation has to be done before changing the status from draft to unlistet or listed.
(The consequence of the lack of input validation is that any user content has to be programmatically escaped when it is used as output in templates.)

The remaining question is, which possiblity are there to avoid malicious content in textarea fields within blueprints (before the content is published)?

The textarea field does support input validation. But note that draft pages are not validated.

Having said that, you should take care on the output side to prevent potentially malicious input doing any harm.

You and @Adspectus are right! Thanks a lot :+1:!
Validation works for textareas if line breaks are included (and optional multiline modifier is added). Here is a possible solution:

type: textarea
match: “/[1]+$/s”

For escaping the output, is there a posibility to escape it and afterwards to interprete the included markup?

<?php echo esc($page->short()->text()) //->kirbytext()?>

  1. A-Za-zÄÖÜäöüß0-9_,.;:&!()=?*+# \n\r ↩︎


should work.

Great! Thanks a lot :smiley: :+1: