My company is getting a few (3-5) spam emails per day through a customer contact form. The reCaptcha we are using isn't blocking them for some reason, but they are so few perhaps there is an actual human involved.
One thing they have in common is some kind of URL link in the paragraph text box meant for additional comments. There isn't any reason for actual customers to be posting URLs, so we figured we could just set the validation to exclude them and call it a day. But, I can't get it to work.
When editing the text box, I've gone to Advanced > Model > ValidatorDefinition so I can enter my custom regular expression code for disallowing anything with http/https/ftp:
^(?!((http[s]?|ftp):\/)?\/?)
But I'm having trouble determining what field to enter this in and what other fields I need to change to make sure this works properly. From this article, it seems the ExpectedFormat field should be Custom, but where does my regular expression code go? Putting it in the RegularExpression field is activating the RegularExpressionViolationMessage for any content whatsoever, not just for URLs, so I suspect my regular expressions may be wrong even if I have it in the right place.
I cannot really speak into the configuration part. The linked docs look pretty clear.
If you are in a dynamic module, this post might help:
You can find a regex field in the ModuleBuilder module -> Your module
-> Your module type -> Click on the desired field for the regex validation -> select "limitation" tab (example).
Regarding the regex itself, try it like this (demo)
^((?!(?:(https?|ftp)(?::\/\/))).)*$
You might need to add a (?s) single line flag: (?s)^((?!(?:(https?|ftp)(?::\/\/))).)*$
Related
In Chrome Developer Tools, I want to use the filter text field in the Network panel to match multiple requests, for example, to show all requests with names containing either "coda" or "smart".
Also, supposing I have 10 images with names image[0-9].jpg (image0, image1,...image9), what expression do I write to match them all?
I have checked the Developer Tools documentation on said subject, but it didn't help. Also, the regex checkbox in this picture isn't available in my own developer tools (Chrome 71)
I finally figured it out.
For the first part: /\bcoda|smart\b/
For the second part: /image\d.jpg/
The regex checkbox isn't available because the filter text field already supports regex expressions.
I'm trying to use kimono to paginate a URL.
I don't like to ask for help, but this time I really tried for myself without effort. I tried to read about Regular expressions, and also I searched in forums with no effort.
I wrote to the Kimono support, but they didn't answered my mails asking for the correct formula.
The specific URL is http://www.falabella.com/falabella-cl/category/cat690251/Zapatos-Mujer?No=0&Nrpp=40
By default, the pagination method provided by Kimono doesn't work for this.
This page has numbers from 1 to 8 (and a symbol '>' which cannot be selected).
So. I click in 'pagination' but when I select a number, lets say the '8' the Kimono will just paginate the EIGHT page..
which seems logical when I check in the advanced pagination menu, because the formula used is: /^()(8)()$/
So, my attemps where directed towards provide the formula with a range, something like:
/^()(2-8)()$/ but it doesn't work
Kimono won't allow me to use just (2-8) because they force the user to imput a formula with this fixed format: /()()()/
which expression should I try ?
I tried doubleclicking the '>' symbol and it seems to work, but from three times, it throws error in 2.
Some error codes are:
E5: Kimono could not create an API
E10: No elements found for all selectors
E20: Pagination Error: Selector not found
The regular expression when I click '>' is: /(\t\t\t)([^]*?)(\t\n\t)/
Nor doubleclicking the numers does work: /^()([^]*?)()$/
Please help.
Please excuse my English
Your problem is that the 'next page link' cannot be selected by clicking (because it is an image, rather than text). In order to make pagination work on this page, you'll need to manually enter the selector using 'advanced mode' instead of relying on the click.
To do this:
Set up your API with all the desired data properties
Click the blue pagination button in the toolbar
Go to the data model view
Click 'Advanced'
Scroll down to the 'Pagination' property
Enter div#bul-flecha-derecha > a#pre-page as your selector
Leave the default regular expression
Click submit to save the changes
Click Done and name and create your API
I am having a textbox in my MVC view, that allows user to input HTML tags, but only few tags (such as, B, I, U, and A).
For this, I have set ValidateInput attribute on my POST action to False, so it allows users to input HTML tags.
But now I want to restrict users to input other HTML tags such as (INPUT, SCRIPT, etc). I mean, anything except the ones which I want to allow.
I guess, one way is to use a regex, but I am unable to find a proper regex for this.
Any idea of how to achieve this? Any help on this much appreciated.
Thanks and Regards
That's dangerous, man. Your users could still insert undesired tags using some tricks, for example encoding data. Even if you try to think all the possible ways a user can employ to enter "dangerous" tags in your code, he'll find an additional one.
So you should try to look some kind of proven solution for your problem. Look for HTML sanitizer, for example Google ASP.NET MVC sanitize html input and you'll find several solutions. AntiXSS library could be a good solution: now it's called Microsoft Web protection Library. You can include it in your solution as a NuGet package:
Install-Package AntiXSS
I recommend you to read this article to get a deeper view of the problem and its solutions:
.NET HTML Sanitation for rich HTML Input
In this article you'll find that AniXSS and a less restrictive solution with full explanation of pros, cons, and how it all works. Don't miss the references in the comments.
I have a test profile in my google analytics account, and ultimately I'd like that profile to include all of the following:
all requests to the test.mydomain.com subdomain
all requests that include "test.mydomain.com" somewhere in the URI
all events that include "test.mydomain.com" somewhere in the category
I had originally tried creating 3 filters on that profile (one for each of the above), but it appears that google-analytics profiles only include things that match ALL filters.
I tried using an advanced filter to combine the above 3 items together into one field, so that I could then just search that field using a regex, but I'm not having much luck... Here's what I have so far:
Filter 1:
which should result in "|test|test" being placed into Custom Field 1 (assuming I had "test.mydomain.com" somewhere in the event category and "test.mydomain.com" as the Hostname)
Filter 2:
which should result in "|test|test|test|" being placed into Custom Field 2 (assuming I had "test.mydomain.com" somewhere in the Request URI).
Filter 3:
which should make it so my profile includes all items where "|test|" appears somewhere in Custom Field 2.
Unfortunately, that's not working, as my test profile is always empty. My "include everything" profile is showing that my requests are coming through and that the do include "test.mydomain.com". I've tried other variations of the above filters, such as setting my advanced-filter regular expressions to ".*", so that they simply concatenate the full Category, Hostname, and Request URI together into Custom Field 2 and then adjusting filter 3 accordingly, but still nothing comes through on that profile. I understand that changes made to profiles can sometimes take a couple of hours to start showing up (https://support.google.com/analytics/answer/1638635?hl=en), but my test filters have been set up for days, so Google should have applied them by now.
Does anyone have an idea what I might be doing wrong? Am I just misunderstanding how the advanced filter works?
Does anyone know of a way to inspect the value of "Custom Field 1" and/or "Custom Field 2" so I can see if those are being built correctly?
You can accomplish this with 4 filters (3 advanced, 1 include). If any of the requirements are satisfied, write "ok" in one of the custom fields. Then do an include on that custom field that matches "ok".
filter 1 - advanced
field a - hostname
extract a - test.mydomain.com
output to - custom field 1
constructor - ok
Use the above concept for the remaining 2 conditions. Then do an include on custom field 1 = ok
I found the issue. The technique that I outlined in my original question, or the technique suggested by Andy should work fine. The problem in my specific example is that google-analytics filters do not have full support for regular expressions. In particular, they do not support the positive lookahead in my example. The other part of my issue was that I sometimes wasn't waiting long enough before testing my profile changes (google can sometimes take a few hours before applying the changes).
To see what regex options google does support, see https://support.google.com/analytics/answer/1034324?hl=en. I originally thought that page was a "getting started with regular expressions" page, but, apparently, that might be all of the regex language that google supports.
If you are unsure if there are parts of your regex that google doesn't support, you can test it on the google-analytics site directly, and in realtime on live data (without waiting for google to apply your profile changes), by navigating to Content > Site Content > All Pages in your Profile, then click on "Advanced" at the top of the "Primary Dimension" table, then change the match type to "Matching RegExp" (see https://support.google.com/analytics/answer/2936903?hl=en). There you can enter in your regex, and if google doesn't support part of your regex, it will tell you immediately when you click "Apply" (not sure why they don't include that regex validation on their profile filter page...). You will also be able to see it immediately filter the content of that table.
I have a WYsIWYG editor in my coldfusion app and need to prevent XSS Attacks. Is there any Coldfusion ways to strip out all script type attacks?
http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks
http://code.google.com/p/owaspantisamy/downloads/list
The main question I would ask is what is this WYSIWYG for? Many WYSIWYG's allow you to define specific tags to have stripped out of the code.
For instance you can have TinyMCE strip out the script tags with
http://wiki.moxiecode.com/index.php/TinyMCE:Configuration/invalid_elements
This unfortunately does not solve your problem since all client side data form submissions are circumventable. If you must use a WYSIWYG ,then what you really need to make sure to do is to cover all your bases on the form's validation and display. You can strip out all script tags and make sure to remove any event attributes and javascript code in links href attributes.
If it is acceptable to only allow a specific subset of tags I would suggest either using BBML, BBCode, or Markdown.
http://www.depressedpress.com/Content/Development/ColdFusion/Extensions/DP_ParseBBML/Index.cfm
http://en.wikipedia.org/wiki/BBCode
http://sebduggan.com/projects/cfxmarkdown
You can use TinyMCE as a WYSIWYG for BBCode http://tinymce.moxiecode.com/examples/example_09.php and StackOverflow uses a great markdown editor http://github.com/cky/wmd
Here is some good info if you would like to render BBCode in Coldfusion
http://www.sitepoint.com/forums/showthread.php?t=248040
Something to consider is that while stripping the tags out in the browser with TinyMCE is a good idea, it makes a fatal assumption that the user is going to be submitting content via the browser. Anything that you do in the browser needs to be duplicated on the server because attackers can bypass any validation that happens in the browser.
With that said check this article: http://www.fusionauthority.com/techniques/3908-how-to-strip-tags-in-three-easy-lessons.htm which spells this out in more detail than I could here. Basically it discusses using regex and UDFs to strip tags out easily. The last example is particularly important... check it out.
To convert these tags <> or use HTMLEditformat function.