Form and sanitize values

[bwakad]

Never thought about this before, but now I am actually thinking, do I have to do something with my textarea on the form to make it only accept characters and spaces, rather then that someone can enter code?

inside my form I have this, but this does not accept spaces.... pattern='[a-zA-Z]{30,250}' ... so maybe I only have to leave the number of characters in, and use one of the back-end things?

the field I talk about is sanitized upon submission:

$member_page->about = $sanitizer->textarea($input->post->about);

I see in the back-end 'text formatters' but really have no idea what is best.

[teppo]

I'm assuming that this is a front-end form and submitted values are somehow converted to pages and/or page data. If that's really the case, those values really need to be sanitised when submitted, but including HTML Entity Encoder textformatter is still a good idea as an additional precaution -- unless, of course, your field has to be able to contain HTML.

For sanitising user input $sanitizer->textarea() is one option, other one being $sanitizer->entities(). First one strips tags but leaves entities intact while latter encodes all entities, including "<" and ">":

$foo = "<b>bar</b>";
echo strip_tags($foo); // outputs bar
echo htmlentities($foo) // outputs <b>bar</b>

This pattern you've mentioned is probably a front-end thing? In that case it can be used as a way to signal to users what kind of values are valid, but you should never really trust it; it's very easy to circumvent things like these.

Note: you could probably just add a space in your pattern, like [a-zA-Z ], to make it support those. I'm not sure if this makes sense, though; user still wouldn't be able to type in dots, commas, lines, underscores, non-ASCII characters etc. etc. This method seems complicated and prone to errors, so I'd probably skip it altogether, relying on the server side sanitation instead.