[Bug] Express, E-Mail, Text & Phone valid input testing incomplete

Permalink 17 16 Browser Info Environment
In an Express Form, there are two Attribute types that I've found that don't sufficiently test for valid inputs:

-Telephone
This field seems to accept any character put in this. I haven't tested, but this might lead to XSS. This really needs to accept only numerical values. Also, this field can accept exceptionally long lists of characters (there doesn't seem to be a limit). Hundreds of thousands of characters, when entered, submit just fine.

-EMail Address
This field doesn't fully check that a valid email and domain was submitted. For example, it accepts "[email protected]" but that isn't actually a usable email address. Also, it doesn't check for valid characters before the @ symbol, so another value it accepts is "[email protected]"

-Text
This attribute type accepts any length (it seems), so this could lead to garbage inputs.


Status: New
BloodyIron replied on at Permalink Reply
I really need someone to confirm this so we can get this fixed. This is a security concern. :(
mlocati replied on at Permalink Reply
mlocati
Phone numbers are not just a sequence of digits.
For instance, users may need to specify an international prefix (e.g. +39 for Italy).
Furthermore there may be separator chars that users could want: examples:
(1)23456
+39 031-23456
035/12345

It's a big World, and making assumptions often leads to errors.

Furthermore, about email addresses, you may think it's not, but even [email protected] is a valid email address. Sure, in 95% of typical uses it should considered wrong. But the remaining 5% of users couldn't write their own email address

concrete5 Environment Information

# concrete5 Version
Core Version - 8.1.0
Version Installed - 8.1.0
Database Version - 20170123000000

# concrete5 Packages
ExchangeCore reCAPTCHA (1.1.1), Fundamental (4.0.1), Styled Maps (1.2.3)

# concrete5 Overrides
blocks/express_entry_detail/templates/get_info_records_details/view.css, blocks/express_entry_detail/templates/get_info_records_details/view.php, blocks/express_entry_detail/templates/get_info_records_details, blocks/express_entry_detail/templates, blocks/express_entry_detail, blocks/express_form/templates/client_feedback_form/view.css, blocks/express_form/templates/client_feedback_form/view.php, blocks/express_form/templates/client_feedback_form, blocks/express_form/templates/get_info_form/view.css, blocks/express_form/templates/get_info_form/view.php, blocks/express_form/templates/get_info_form, blocks/express_form/templates, blocks/express_form, languages/ja_JP/LC_MESSAGES/messages.mo, languages/ja_JP/LC_MESSAGES, languages/ja_JP, languages/el_GR/LC_MESSAGES/messages.mo, languages/el_GR/LC_MESSAGES, languages/el_GR, languages/ru_RU/LC_MESSAGES/messages.mo, languages/ru_RU/LC_MESSAGES, languages/ru_RU, languages/it_IT/LC_MESSAGES/messages.mo, languages/it_IT/LC_MESSAGES, languages/it_IT, languages/es_PY/LC_MESSAGES/messages.mo, languages/es_PY/LC_MESSAGES, languages/es_PY, languages/nl_NL/LC_MESSAGES/messages.mo, languages/nl_NL/LC_MESSAGES, languages/nl_NL, languages/sv_SE/LC_MESSAGES/messages.mo, languages/sv_SE/LC_MESSAGES, languages/sv_SE, languages/cs_CZ/LC_MESSAGES/messages.mo, languages/cs_CZ/LC_MESSAGES, languages/cs_CZ, languages/da_DK/LC_MESSAGES/messages.mo, languages/da_DK/LC_MESSAGES, languages/da_DK, languages/fi_FI/LC_MESSAGES/messages.mo, languages/fi_FI/LC_MESSAGES, languages/fi_FI, languages/pt_BR/LC_MESSAGES/messages.mo, languages/pt_BR/LC_MESSAGES, languages/pt_BR, languages/fr_FR/LC_MESSAGES/messages.mo, languages/fr_FR/LC_MESSAGES, languages/fr_FR, languages/tr_TR/LC_MESSAGES/messages.mo, languages/tr_TR/LC_MESSAGES, languages/tr_TR, languages/de_DE/LC_MESSAGES/messages.mo, languages/de_DE/LC_MESSAGES, languages/de_DE, languages/en_GB/LC_MESSAGES/messages.mo, languages/en_GB/LC_MESSAGES, languages/en_GB, mail/block_express_form_submission.php, blocks/express_entry_detail/templates/get_info_records_details/view.css, blocks/express_entry_detail/templates/get_info_records_details/view.php, blocks/express_entry_detail/templates/get_info_records_details, blocks/express_entry_detail/templates, blocks/express_entry_detail, blocks/express_form/templates/client_feedback_form/view.css, blocks/express_form/templates/client_feedback_form/view.php, blocks/express_form/templates/client_feedback_form, blocks/express_form/templates/get_info_form/view.css, blocks/express_form/templates/get_info_form/view.php, blocks/express_form/templates/get_info_form, blocks/express_form/templates, blocks/express_form, languages/ja_JP/LC_MESSAGES/messages.mo, languages/ja_JP/LC_MESSAGES, languages/ja_JP, languages/el_GR/LC_MESSAGES/messages.mo, languages/el_GR/LC_MESSAGES, languages/el_GR, languages/ru_RU/LC_MESSAGES/messages.mo, languages/ru_RU/LC_MESSAGES, languages/ru_RU, languages/it_IT/LC_MESSAGES/messages.mo, languages/it_IT/LC_MESSAGES, languages/it_IT, languages/es_PY/LC_MESSAGES/messages.mo, languages/es_PY/LC_MESSAGES, languages/es_PY, languages/nl_NL/LC_MESSAGES/messages.mo, languages/nl_NL/LC_MESSAGES, languages/nl_NL, languages/sv_SE/LC_MESSAGES/messages.mo, languages/sv_SE/LC_MESSAGES, languages/sv_SE, languages/cs_CZ/LC_MESSAGES/messages.mo, languages/cs_CZ/LC_MESSAGES, languages/cs_CZ, languages/da_DK/LC_MESSAGES/messages.mo, languages/da_DK/LC_MESSAGES, languages/da_DK, languages/fi_FI/LC_MESSAGES/messages.mo, languages/fi_FI/LC_MESSAGES, languages/fi_FI, languages/pt_BR/LC_MESSAGES/messages.mo, languages/pt_BR/LC_MESSAGES, languages/pt_BR, languages/fr_FR/LC_MESSAGES/messages.mo, languages/fr_FR/LC_MESSAGES, languages/fr_FR, languages/tr_TR/LC_MESSAGES/messages.mo, languages/tr_TR/LC_MESSAGES, languages/tr_TR, languages/de_DE/LC_MESSAGES/messages.mo, languages/de_DE/LC_MESSAGES, languages/de_DE, languages/en_GB/LC_MESSAGES/messages.mo, languages/en_GB/LC_MESSAGES, languages/en_GB, mail/block_express_form_submission.php

# concrete5 Cache Settings
Block Cache - On
Overrides Cache - On
Full Page Caching - On - In all cases.
Full Page Cache Lifetime - Every 6 hours (default setting).

# Server Software
Apache/2.4.18 (Ubuntu)

# Server API
apache2handler

# PHP Version
7.0.13-0ubuntu0.16.04.1

# PHP Extensions
apache2handler, calendar, Core, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imagick, json, libxml, mbstring, mcrypt, mysqli, mysqlnd, openssl, pcre, PDO, pdo_mysql, Phar, posix, readline, Reflection, session, shmop, SimpleXML, sockets, SPL, standard, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, Zend OPcache, zip, zlib

# PHP Settings
max_execution_time - 60
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - 60
max_input_vars - 1000
memory_limit - 128M
post_max_size - 20M
sql.safe_mode - Off
upload_max_filesize - 20M
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
session.cache_limiter - <i>no value</i>
session.gc_maxlifetime - 7200
opcache.max_accelerated_files - 2000
opcache.max_file_size - 0
opcache.max_wasted_percentage - 5

Browser User-Agent String

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/55.0.2883.87 Chrome/55.0.2883.87 Safari/537.36