Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Using webform regularly, I noticed that for most of the texfields, I don't want any HTML in them (like when I ask for first name, last name...). I know that webform sanitize these fields with check_plain(), but I'd much rather completely forbid any HTML where I can.
Ok, I'm probably a bit paranoid, but try to add some javascript in one of these fields with the webform full debug enabled... or if you follow what is in here (http://drupal.org/node/323666) to send confirmation emails, you could be sending the full content of your un-sanitized texfield in an email.
So, I've been writing a simple rule to check if there's any HTML tags in a textfield (patch attached, but there might be better ways of doing it).
I don't know if you will consider it a worthy addition in your next release ( I know that we could achieve the same rule by using the regexp one), but I thought that if there's something simple already in there, more people are likely to use it and reduce the XSS risk of some of their forms.
| Comment | File | Size | Author |
|---|---|---|---|
| webform_plaintext_rule_20100427a.patch | 1.04 KB | tlaurent |
Comments
Comment #1
svendecabooterThanks for your contribution!
The patch seems fine at first sight, although I will have to test it some more.
It seems like a reasonable validation rule to be included in the module.
Assigning this to me to get back to it.
Comment #2
svendecabootercommitted to HEAD