Validation of textareas in bluesprints

Cymag · February 13, 2023, 1:49pm

In a blueprint I have a textarea like this:

short:

            label: Short description
            placeholder: Short Description
            required: true
            type: textarea

How can I validate the input of users?
What I would like to do is to use a regular expression like this one:

validate:
  match: "/^[A-Za-zÄÖÜäöüß0-9_,.;:&!()=?*+#]+$/"

However, this does only work for text fields. Neither works:

pattern : "/^[A-Za-zÄÖÜäöüß0-9_,.;:&!()=?*+#]+$/"

How can I add validation to textareas for panel users?

Adspectus · February 15, 2023, 3:04pm

I have not tested it, so it is just a guess: Maybe, you might have to add the “multiline” modifier to the regex, since your current syntax finds only certain characters between the start and the end of the string. Or, you might have to add the EOL characters “\n” and “\r” to the allowed list of characters. Or it might be, that you have add both Just try all three variants…

Cymag · February 16, 2023, 8:04am

Thank you a lot for thinking about how to improve the regualr expression!
However, in the case of textarea fields in blueprints there seems to be no way to validate the input of users. In case of other field types you can validate the users input with given field properties (e.g. a number field with the property min or a text field with property pattern). The textarea field hasn’t got such properties.

Thus, a user of the panel can currently input malicious content in the textarea field (e.g. html-tags, javascript code etc.). This is a security risk. Accoringly, I would like to check the user input before saving. At least the validation has to be done before changing the status from draft to unlistet or listed.
(The consequence of the lack of input validation is that any user content has to be programmatically escaped when it is used as output in templates.)

The remaining question is, which possiblity are there to avoid malicious content in textarea fields within blueprints (before the content is published)?

texnixe · February 16, 2023, 8:23am

The textarea field does support input validation. But note that draft pages are not validated.

Having said that, you should take care on the output side to prevent potentially malicious input doing any harm.

Cymag · February 16, 2023, 11:11am

You and @Adspectus are right! Thanks a lot !
Validation works for textareas if line breaks are included (and optional multiline modifier is added). Here is a possible solution:

short:
type: textarea
validate:
match: “/^[1]+$/s”

For escaping the output, is there a posibility to escape it and afterwards to interprete the included markup?

<?php echo esc($page->short()->text()) //->kirbytext()?>

A-Za-zÄÖÜäöüß0-9_,.;:&!()=?*+# \n\r ↩︎

texnixe · February 16, 2023, 11:16am

$page->short()->escape()->kt()

should work.

Cymag · February 16, 2023, 11:51am

Great! Thanks a lot

Topic		Replies	Views
Validation problem in bluesprints Solved ✅	4	373	April 28, 2017
Set maxlength/minlength dynamically? Questions 🤔	1	216	May 1, 2020
Making it impossible to write html in the text field Questions 🤔	1	232	August 13, 2020
Wysiwig in textarea field (blueprint) field	5	244	April 20, 2023
Adding wysiwyg to text block panel	1	288	August 9, 2021

Validation of textareas in bluesprints

Related Topics