0

I'm trying to check the textarea submitted in a form to see if it contains any url's. There are many posts here, and elsewhere, that deal with this. The accepted method seems to be to use regex. This is the code I am using, though I've tried many of the others I've ran across.

     (/(\b(((https?|ftp|file|):\/\/)|www[.])[-A-Z0-9+&@#\/%?=~_|!:,.;]*[-A-Z0-9+&@#\/%=~_|])/i)

In almost all cases, the above works. But emails are still getting through that contain something like this:

    _a href="http://example.com/"_online casino games_/a_

If I try submitting the form with the above in the message, the code identifies it, as it should. But, somehow, spammers are still getting them through. A few of the posts I've read on this subject said it was not possible to catch all instances due to the possible ways to enter the url's. I'm assuming these get by due to the _a but since it works when I try it, I've no way to troubleshoot it. Does anyone know how to stop these?

Alex K.
  • 171,639
  • 30
  • 264
  • 288
user3052443
  • 758
  • 1
  • 7
  • 22
  • Is this performed in JavaScript? If so you should be retesting on the server side, are you? - If not there is nothing to stop posting to the underlying target URL bypassing the checks. – Alex K. Apr 18 '18 at 14:38
  • Yes, it is done with javascript. And when I tested it, I used the live site and form the spammers use. – user3052443 Apr 18 '18 at 15:01
  • I could look at the page source, find out the URL the form was posted to and send it whatever I like completely bypassing your JavaScript check - thats why validation must be repeated on the server side. – Alex K. Apr 18 '18 at 15:03
  • Are you able to bypass the validation code completely? That is, if I change the javascript to check it via a php script, would that work? Or what if I add a hidden variable in the script that only gets filled in by the validation code. That way, if it is bypassed the form won't work because the variable won't be set. – user3052443 Apr 18 '18 at 16:18
  • Then I could look at the code, see the hidden value and carry on doing whatever I like. The rule is to always re-validate on the server side, see https://stackoverflow.com/a/162579/246342 for an explanation. – Alex K. Apr 18 '18 at 16:25
  • OK, I understand now. Thank you for your patience. I will add php code double check the input. – user3052443 Apr 18 '18 at 18:45

0 Answers0