Contact form truncating message

[SamC]

I've only just noticed but I have a rather serious problem in that my webform cuts off the message text. Not sure why this is happening so any fresh eyes to look at this would be appreciated! contact.php:

<?php namespace ProcessWire;

wireIncludeFile("./vendor/vlucas/valitron/src/Valitron/Validator.php");
$captcha = $modules->get("MarkupGoogleRecaptcha");

$contactPageID = "1022";
$contactFormRecipient = "MY_EMAIL";

$name = $sanitizer->text($input->post->name);
$email = $sanitizer->email($input->post->email);
$message = $sanitizer->text($input->post->message);

$v = new \Valitron\Validator(array(
    "name" => $name,
    "email" => $email,
    "message" => $message
    )
);

$v->rule("required", ["name", "email", "message"]);
$v->rule("email", "email");

if ($input->post->sendMe) {
    if ($v->validate()) {
        if ($captcha->verifyResponse() === true) {

            $message = "
                <html>
                    <body>
                        <p><b>Customer name:</b> {$name}</p>
                        <p><b>Customer email:</b> {$email}</p>
                        <p><b>Customer message:</b></p>
                        <p>{$message}</p>
                    </body>
                </html>
                ";

            $mail = wireMail();

            $mail->to($contactFormRecipient)
            ->from($email, $name)
            ->subject('Website form submission')
            ->bodyHTML($message);

            if ($mail->send()) {
                $session->flashMessage = "Thanks for your message! I will get back to you shortly.";
                $session->sent = true;
                $session->redirect($pages->get($contactPageID)->url);
            }
            else {
                $session->flashMessage = "Sorry, an error occured. Please try again.";
            }

        }
        else {
            $session->flashMessage = 'Recaptcha must be complete.';
        }
    }
    else {
        $session->flashMessage = 'Please fill out the fields correctly.';
    }
}
?>

<div id="form-top" class="mb-5"></div>

<div class="container">
  <div class="row justify-content-center py-5">
    <div class="col-md-10">

            <?php if($session->flashMessage):?>
                <div class="alert <?php echo $session->sent ? 'alert-success' : 'alert-danger'?>" role="alert">
                    <?php echo $session->flashMessage;?>
                </div>
                <?php endif;?>

                <form id="contact-form" method="post" action="#form-top">


                <div class="row">
                    <div class="form-group col-sm-12 col-lg-6 py-2 <?php echo $v->errors('name') ? 'has-danger' : ''?>">
                        <label for="name">Name (required)</label>
                        <input class="form-control" name="name" id="name" type="text" value="<?php if ($name) echo $name; ?>">
                    </div>

                    <div class="form-group col-sm-12 col-lg-6 py-2 <?php echo $v->errors('email') ? 'has-danger' : ''?>">
                        <label for="email">Email (required)</label>
                        <input class="form-control" name="email" id="email" type="text" value="<?php if ($email) echo $email; ?>">
                    </div>
                </div>


                <div class="form-group py-2 <?php echo $v->errors('message') ? 'has-danger' : ''?>">
                    <label for="message">Message (required)</label>
                    <textarea class="form-control" name="message" id="message" rows="8"><?php if ($message) echo $message; ?></textarea>
                </div>

                <div>
                    <label for="recaptcha">Recaptcha (required)</label>
                    <!-- Google Recaptcha code START -->
                    <?php echo $captcha->render(); ?>
                    <!-- Google Recaptcha code END -->
                </div>

                <div class="form-group">
                    <button type="submit" class="btn outlined" name="sendMe" value="1">Enquire now!</button>
                </div>

                </form>

    </div>
  </div>
</div>

<?php
    $session->remove('flashMessage');
    $session->sent = false;
    echo $captcha->getScript();
?>

If I submit:

Quote

Lorem ipsum dolor sit amet, consectetur adipisicing elit. Laudantium eum nemo excepturi obcaecati dolorem, maiores vel assumenda quibusdam beatae, adipisci laboriosam ipsum rem temporibus est reiciendis nesciunt alias fuga? Accusantium quaerat natus delectus rem illo repudiandae, repellat esse aliquid reprehenderit aspernatur mollitia molestias, quisquam sit error. Consequatur, dolores, quibusdam facere officia eveniet, cumque, doloribus voluptate eligendi facilis ut quam corporis! In eligendi rerum, qui quidem nulla distinctio adipisci et nobis tenetur aut nisi. Asperiores quibusdam itaque laudantium explicabo accusantium? Nihil laborum voluptatem ea mollitia possimus consequatur quo repellat culpa, ipsum tempore earum. Corrupti saepe explicabo veritatis repellendus vero perferendis odit.

The form emails this:

Quote

Customer name: Sam

Customer email: sam@testing.com

Customer message:

Lorem ipsum dolor sit amet, consectetur adipisicing elit. Laudantium eum nemo excepturi obcaecati dolorem, maiores vel assumenda quibusdam beatae, adipisci laboriosam ipsum rem temporibus est reiciendis nesciunt alias fuga? Accusantium quaerat natus delec

Any ideas why this would be happening? Thanks.

+= EDIT ==

Removing the sanitizer 'fixed' it.

$name = $sanitizer->text($input->post->name);
$email = $sanitizer->email($input->post->email);
// $message = $sanitizer->text($input->post->message); <<< fail
$message = $input->post->message; // works but not sanitized, bad!

If I read here: https://processwire.com/api/variables/sanitizer/

Quote

Sanitize a single line of input text. Removes tags, removes newline characters, and truncates length to 1024 characters. This is multibyte safe if your PHP has multibyte support.

Which is a suitable sanitizer for this field? This one?

http://cheatsheet.processwire.com/sanitizer/properties-and-methods/sanitizer-textarea-value/

[szabesz]

"Please note the default 255 character max length setting."

https://processwire.com/api/ref/sanitizer/text/

Maybe?

[SamC]

I've used: https://processwire.com/api/ref/sanitizer/textarea/

However, I'm not 100% sure of the security of this. It's a multi line text area on a contact form so someone could paste anything in there.

Should I also run it through $sanitizer->entities?

I'm gonna try throwing a few things in there and see what the resulting email is. Very technical I know.

[szabesz]

https://processwire.com/api/ref/sanitizer/textarea/

"If using returned value for front-end output, be sure to run it through $sanitizer->entities() first."

So it depends, if you do not trust your email client then use entities() too. It cannot hurt I think to use it, but you can experiment, of course.

[SamC]

How do I combine the two? Like this:

$message = $sanitizer->entities($sanitizer->textarea($input->post->message))

...or like:

$message = $sanitizer->textarea($sanitizer->entities($input->post->message));

Or do you do it one at a time?

[bernhard]

you need the entities only for frontend OUTPUT when you don't want the string to be interpreted as HTML

[adrian]

Try the purify() sanitizer.

Also, in the Tracy Console, check out the testAll() sanitizer - very handy!

d($sanitizer->testAll($str)):

 

[SamC]

Ok, thanks for the suggestions, I'll get tracy fired up tomorrow and see how I get on.