Contact Form Processing Products - for all your needs

FormMail • Form Encryption • Hosted Forms

TEXT_SUBS Setting

This page documents the TEXT_SUBS configuration setting in FormMail.

Type Of Setting

TEXT_SUBS is a LEAVE setting, which means...

LEAVE : you can change this setting if you really need to and know what you're doing, but we recommend that you leave this setting unchanged.

Précis

Text substitutions.

Description

The problem: you want to use HTML entered or specified in your form in emails, but this is insecure as script and other code can be inserted by attackers.

TEXT_SUBS solves this problem.

The template_list_sep feature was the primary motivation for TEXT_SUBS. In this case, you often want to add list separators, table row or column tags, etc. to format the results you'll receive from a list field.

Because template_list_sep is specified in your HTML, you cannot prevent an attacker from inserting their own value.

By utilizing TEXT_SUBS, FormMail can now sanitize values submitted to ensure that any HTML code is safe to send to you.

Tectite FormMail has always been secure, and sanitizes almost everything. Because of this strong security, it wasn't possible to include HTML tags in substitutions until the TEXT_SUBS feature was implemented (version 8.27).

TEXT_SUBS is an array value, where each element is an associative array containing two elements:

  • srch - the PHP regular expression to search for
  • repl - the string or replacement specification

Useful Values

The default value for TEXT_SUBS (see below) provides these useful strings you can use:

Use this …

To get it replaced with this …

\r\n

an actual carriage return and line feed (the line termination sequence of Windows)

\n or [NL]

an actual line feed (the line termination sequence of Linux and Unix)

\t or [TAB]

an actual tab character

[NBSP]

HTML entity  

[DQUOT]

a double quote

[SQUOT]

a single quote

[COLON]

a colon

[SLOSH]

a backslash

[OPCURL]

an open curly bracket

[CLCURL]

a close curly bracket

Substitutions are performed in the order specified in TEXT_SUBS. Later searches are not performed on earlier replacements.

Default Value

$TEXT_SUBS = array(
    array("srch"=>"/\\r\\n/","repl"=>"\r\n",),
    array("srch"=>"/\\n/","repl"=>"\n",),
    array("srch"=>"/\\t/","repl"=>"\t",),
    array("srch"=>"/\[NL\]/","repl"=>"\n",),
    array("srch"=>"/\[TAB\]/","repl"=>"\t",),
    array("srch"=>"/\[NBSP\]/","repl"=>" ",),
    array("srch"=>"/\[DQUOT\]/","repl"=>'"',),
    array("srch"=>"/\[SQUOT\]/","repl"=>"'",),
    array("srch"=>"/\[COLON\]/","repl"=>":",),
    array("srch"=>"/\[SLOSH\]/","repl"=>"\",),
    array("srch"=>"/\[OPCURL\]/","repl"=>"{",),
    array("srch"=>"/\[CLCURL\]/","repl"=>"}",),
    array("srch"=>"/(on[a-z]*|href|src)\s*=\s*/i","repl"=>""),/* strip html attributes that could be unsafe */
    array("srch"=>"/<\s*(table|tr|td|th|p|ul|ol|li|b|i|u|strong|pre|h[1-6]|em|dl|dd|dt|hr|span|br)(\b[^>]*?)>/i","repl"=>"<\$1\$2>",),
    array("srch"=>"#<\s*/\s*(table|tr|td|th|p|ul|ol|li|b|i|u|strong|pre|h[1-6]|em|dl|dd|dt|hr|span|br)\s*>#i","repl"=>"</\$1>",),
    );

See Also

 
Close