Global user input of the (#) sign

Report · Oct 11, 2019

Does anyone know a way to globally disable the use of a (#) sign by the end user? I have created code to replace the (#) sign on formfields that users would likely use a (#) sign, but that would be a very timeconsuming task for every text box on the site. Would love any ideas or suggestions from anyone who may have a solution.

Report · Oct 11, 2019

What I do is create a function and CFINCLUDE it on every page that will process user input. Mostly for trim() and canonicalize(), but I also do things like strip out HTML using RegEx. Something like this would be ideal for converting the # into it's HTML Entity or ASCII equivalent.

Another, less effective and bypassable method would be to use JavaScript on the form pages that prevent the hashtag/pound sign from being used. But the user can just disable JavaScript and get past that, easily. Server-side solution would be best.

V/r,

^ _ ^

In Response To WolfShade · Oct 11, 2019

That’s a good idea. Do you loop through the form struct? Do you have a code example?

Report · Oct 11, 2019

I'll see if I can find one. I don't loop through the form elements. I just went to each individual element being processed and inserted code to send the value to the function before actually inserting the value into the database.

<!---
	Function:      stripScript
	Arguments:     thisStr (string; required)
	Notes:         Takes string, removes HTML tags, returns string
--->
	<cffunction access="public" name="stripScript" returntype="string" output="no">
		<cfargument name="thisStr" default="! ! ! ERROR ! ! !" type="string" />
		<cfargument name="emailHdr" default="false" type="string" />
		<cfscript>
			local.varStr = canonicalize(ARGUMENTS.thisStr,true,true);
			local.varStr = REreplaceNoCase(local.varStr,"(<[\s|\/]*[^>]*>|&.{1,7};)","-?-","all");// Strip out HTML tags and HTML entities; leave content between open/close tags.
			local.varStr = REreplaceNoCase(local.varStr,"[#chr(13)#|#chr(10)#|\r|\n|\t]"," ","all");// Strip out most line-breaks to prevent MAIL from being hacked.
			if(arguments.emailHdr eq "true"){
				local.varStr = REreplaceNoCase(local.varStr,"<br[^>]*>","  ","all");
				}
//  You can enter Replace # code here..
			return local.varStr;
		</cfscript>
	</cffunction>

In the document that processes the user input:

switch(StructKeyExists(form,'myField')){
	case false:
		var returnResult &= "<p style='margin:0 20px; text-indent:-20px;'>myField does not exist in form.</p>" & application.crlf;
	break;
	default:
		switch(len(trim(form.myField))){
			case 0:
				// myField is blank and not required; let it go.
			break;
			default:
				thisField = trim(form.myField);
				thisField = myCFC.stripScript(form.myField);
				form.myField= thisField;
			break;
			}
	break;
	}

This sanitizes and validates the element in the form scope. So when it gets put into a database or email or Excel sheet, or whatever, it's sanitized and safe. The two flags in canonicalize() will cause an error if either nested obfuscation or multiple obfuscation are used. It's important to replace the hashtags AFTER the canonicalize() because canonicalize() will revert any HTML entity or ASCII equivalent back into a hashtag.

HTH,

^ _ ^

In Response To WolfShade · Oct 12, 2019

Thank you, I will give it a try and see how it works.

Adobe Community

Global user input of the (#) sign