I have a contact form on a web site; just ordinary html in a php page:
<textarea name="message" id ="message" rows="10" cols="30"> </textarea>
I didn't yet sanitize the input as I figured that it was only going to be sent as an email anyway...
Interestingly, the spammers have found a way of attaching/inserting what appears to be a .PDF doc to the message.
My two questions are:
1. How are they doing this? I can't seem to find a way to insert a document or attach a document to a message in a textarea, so how can they?
2. Will sanitizing the input with strip_tags and htmlspecialchars stop them doing it?
Thanks.
Edit:
Thanks for getting back to me - here is a screen shot of one of the emails; as you say, gmail seems to be picking up the url:
I don't suppose I should click on that link, hey?
Without more detail, I can only guess. <textarea> does not allow attaching a file, only text (string of any characters). It would allow including a URL in the text. If you send this URL-containing text via email, your email reader likely recognizes the URL-string and converts it to a clickable link. So, strictly speaking, the PDF file is not appended to the email, but a link to the PDF is.
If this is the case, sanitizing for HTML tags won't work but sanitizing for URLs will.
Related
is there any way to prefill textarea with link of page that user is trying to share but so that he can´t delete it. I am talking about sharing form via email.
The form is obviously done in php.
Edit:
I used the field Edit Summary but I don´t see it anywhere so it may be here twice I can be blind :D
The onlyread function is not what I´ve wanted. User is allowed to write into textarea but the part of the text hasn´t be touchable. As junkfoodjunkie said it seems like the only way to do it. But still posting some advices if you see the whole code may change it.
most inputs can use readonly="readonly" to prevent predefined values from being edited.
<textarea name="verbage" readonly=readonly cols="5" rows="9">
Can't touch this
</textarea>
<input type="text" name='moreverbage" readonly=readonly value="NO EDITING ALLOWED">
If the mail sending is done via PHP, just have that default text be part of the server-side send-mail script, and put it in if the text in the message / textarea doesn't contain the default text. You cannot trust client side solutions, and all of the solutions mentioned above is removed by a simple code-editor (Firebug, for instance), before clicking submit.
Check the content in the mail-sending script, and if the default text isn't there, either replace or add/prepend the text you want.
I am working on a php project which involves jquery and ajax. The data gets processed through ajax call and the message gets displayed in an email dialog box.
I want the email to be html enabled but the thing is that html tags should be invisible for display before hitting send button. Looking for some help. Thanks in advance.
You can display the content using javascripts innerHTML. It will show the content as marked up by the html, not the html tags and plain text.
Have you tried any code yet? It is not clear what you are trying to do, perhaps you wish for the user to be able to edit the email, if so you would need to use a script that supported your needs.
You say the you are displaying the response which you get from the php server. This approach is not so tidy but if you want this might be a simple solution. Use php strip_tags() and create a different response and add it to your response string with an identifiable key. The you have two response values which one can be used to show to the user and the other can be emailed which contains the original html included response.
you can display the response without the html tags to the user.
Your question is unclear. Are you displaying the response of the ajax call in a textarea? If so, then you can't get rid of the html tags because you will lose all the formatting.
If the content needs to be editable then perhaps try an embedded WYSIWYG editor such as TinyMCE.
If the content doesn't need to be editable then simply insert the html into a div instead of a textarea. See https://api.jquery.com/html/
If you simply want to strip tags then the strip_tags() PHP function will do that for you.
I am very new to this. I have a Joomla website and want to do something simple. Using FormMaker and Artetics ArtSQL, I want to have users enter information into a form, then have the information displayed in an article.
HOWEVER... When information is entered into a form, the information that is sent to the MySQL database isn't always correct. For example, I see br instead of multiple choice answers.
When the information is displayed using ArtSQL, the funky letters show up also. I CANNOT figure out how to get rid of these special characters. Can someone please help? Thank you.
Without knowing the extension, this could be achieved by putting the test variable through the strip_tags function in PHP. You'd need to add something like this to the controller file before it gets inserted into your table:
<?php
echo strip_tags($text);
?>
It will remove the tags from the string, like the <br> tags, and other HTML elements.
If you're not sure what you're doing, it may be better contacting the third-party that created the extension, as has already been mentioned.
I have a html form with some text input and a file input (image logo).
Now, if there is an error with one of the text inputs (like length is invalid) when the user click the submit button [client->server(php)->client], the content of the file input is cleared which is annoying!
I set others text input with last values when the page submits with an error, but I cant with a file input. I tried to set the file input value with document.getElementsByName('logo')[0].value; to set it in a hidden value but I got the path "C:\fakepath\random-0690.JPG"... this is so shocking, I know its for security purposes but it is shocking...
How i can resolve that? Thanks.
It's not possible. You cannot remotely set the value of a file input as a basic security measure. If you could, then it'd be trivial to do <input type="file" value="/etc/passwd" name="pwn3d" /> and steal any file you want from the user's machine.
There's nothing shocking about it at all. Live with it, or enjoy having your files stolen.
I found the answer !
This is simple, I created an AJAX call that send the form contents and validate if everything is okay. Then if there are errors, display these (and it will keep the values and file attachments in the form) .. Else : Send the post form and the attached file.
One field in our website's sign-up form is occasionally left blank yet we need it to include one sentence that for legal reasons must not be editable. This is then later used as part of the user's profile and will sit in the same place if they added content to that field too during the initial sign-up.
How can we populate this single field with an uneditable/undeletable sentence, yet allow text to be added above it if the user chooses to?
Currently the field in question looks like this:
<textarea name="description" id="eBann" rows="2" maxlength="1500" cols="20" onKeyUp="toCount('eBann','sBann','{CHAR} characters left',1500);"><?php echo $description;?></textarea>
Why don't you just use the input for the optional extras and put the uneditable part in the HTML directly below it? For the prompt use something like: "Here's our sentence, if you want to add your own comment, enter it here." In the form processing script, just concatenate it with the static sentence.
Any HTML form can be changed by the user (even if it says readonly). The only way to do this safely is either server-side when they submit the form, or server-side when you get and output the information.
EDIT:
With dual languages (I'm assuming human language, not programming!), you'll definitely want to output the string with the rest of the information, and never store it in a database. That'll help you in case you ever want to change what the string is, and also will allow localisation for different languages.