Highlighted

Global user input of the (#) sign

New Here ,
Oct 11, 2019

Copy link to clipboard

Copied

Does anyone know a way to globally disable the use of a (#) sign by the end user?  I have created code to replace the (#) sign on formfields that users would likely use a (#) sign, but that would be a very timeconsuming task for every text box on the site.  Would love any ideas or suggestions from anyone who may have a solution.

Views

100

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Global user input of the (#) sign

New Here ,
Oct 11, 2019

Copy link to clipboard

Copied

Does anyone know a way to globally disable the use of a (#) sign by the end user?  I have created code to replace the (#) sign on formfields that users would likely use a (#) sign, but that would be a very timeconsuming task for every text box on the site.  Would love any ideas or suggestions from anyone who may have a solution.

Views

101

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Oct 11, 2019 0
LEGEND ,
Oct 11, 2019

Copy link to clipboard

Copied

What I do is create a function and CFINCLUDE it on every page that will process user input.  Mostly for trim() and canonicalize(), but I also do things like strip out HTML using RegEx.  Something like this would be ideal for converting the # into it's HTML Entity or ASCII equivalent.

 

Another, less effective and bypassable method would be to use JavaScript on the form pages that prevent the hashtag/pound sign from being used.  But the user can just disable JavaScript and get past that, easily.  Server-side solution would be best.

 

V/r,

 

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 11, 2019 0
New Here ,
Oct 11, 2019

Copy link to clipboard

Copied

That’s a good idea. Do you loop through the form struct? Do you have a code example?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 11, 2019 0
LEGEND ,
Oct 11, 2019

Copy link to clipboard

Copied

I'll see if I can find one.  I don't loop through the form elements.  I just went to each individual element being processed and inserted code to send the value to the function before actually inserting the value into the database.

 

 

 

<!---
	Function:      stripScript
	Arguments:     thisStr (string; required)
	Notes:         Takes string, removes HTML tags, returns string
--->
	<cffunction access="public" name="stripScript" returntype="string" output="no">
		<cfargument name="thisStr" default="! ! ! ERROR ! ! !" type="string" />
		<cfargument name="emailHdr" default="false" type="string" />
		<cfscript>
			local.varStr = canonicalize(ARGUMENTS.thisStr,true,true);
			local.varStr = REreplaceNoCase(local.varStr,"(<[\s|\/]*[^>]*>|&.{1,7};)","-?-","all");// Strip out HTML tags and HTML entities; leave content between open/close tags.
			local.varStr = REreplaceNoCase(local.varStr,"[#chr(13)#|#chr(10)#|\r|\n|\t]"," ","all");// Strip out most line-breaks to prevent MAIL from being hacked.
			if(arguments.emailHdr eq "true"){
				local.varStr = REreplaceNoCase(local.varStr,"<br[^>]*>","  ","all");
				}
//  You can enter Replace # code here..
			return local.varStr;
		</cfscript>
	</cffunction>

 

 

 

In the document that processes the user input:

 

 

 

switch(StructKeyExists(form,'myField')){
	case false:
		var returnResult &= "<p style='margin:0 20px; text-indent:-20px;'>myField does not exist in form.</p>" & application.crlf;
	break;
	default:
		switch(len(trim(form.myField))){
			case 0:
				// myField is blank and not required; let it go.
			break;
			default:
				thisField = trim(form.myField);
				thisField = myCFC.stripScript(form.myField);
				form.myField= thisField;
			break;
			}
	break;
	}

 

 

 

This sanitizes and validates the element in the form scope.  So when it gets put into a database or email or Excel sheet, or whatever, it's sanitized and safe.  The two flags in canonicalize() will cause an error if either nested obfuscation or multiple obfuscation are used.  It's important to replace the hashtags AFTER the canonicalize() because canonicalize() will revert any HTML entity or ASCII equivalent back into a hashtag.

 

HTH,

 

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 11, 2019 0
New Here ,
Oct 12, 2019

Copy link to clipboard

Copied

Thank you, I will give it a try and see how it works.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 12, 2019 0