User-defined characters for the validation of EditBoxes break the validation

[Markus]

I am using the old version 15.4.5, but it is possible that this “bug” exists also in the current version.

It took me almost 8 hours to find the solution to this problem and I have aged at least 5 years in the process.

The problem is that my form fields were not validated, although everything looked fine on the surface.

Given is a form with an EditBox, which is declared in the “Validate” tab with the datatype Text (in my case it was an extensive form with many fields and checkboxes, which did not make the search any easier).

In my case, Validation mode is set to “Default”, Data required is activated and Data lenght is configured with Min. = 1 and Max. = 999.

Now at the bottom of the “Validate” tab you have the option of selecting [x] Letters, [x] Digits, [x] Whitespace and [x] Others.

Everything works fine until you (unknowingly) type the probably only wrong character into the “[x] Others” input field. I entered the following characters there: ( ) / \

And apparently the \ (backslash) character broke the entire form validation.

I then found the problem manually in the PHP file in which the form is located. There is the function “submit[formname]”().
There the validation is apparently carried out with a RegEX that starts as follows...
{regexp=/^([0-9a-z]([-.\w]*[0-9a-z])*@(([0-9a-z])+([-\w]*[0-9a-z])*\.)+[a-z]{2,6}

I no longer have the PHP file with the broken validation, but I know that the characters ()/\ were embedded directly in the RegEX. Since the backslash is obviously an escape character, I think it broke the regex expression. I'm not an expert on this, but I can say that the validation worked again after I removed the string ()/\ from the [x] Others input field.

It's a shame that something like this isn't caught. I hope I was able to save other lives with this article, or at least save them from “going crazy while troubleshooting” - as it happened to me.

Greetings
Markus

[BaconFries]

First you should note that WWB15 is no longer supported. Secondly if as you say it is a "Bug" it would have certainly have been "Fixed" by now in any previous versions after it and in WWB20 if it existed at all.

[Markus]

What do you mean, if it existed at all?
Of course it exists - in the version I use. I've been struggling with it for more than enough time today.

Whether it's still there in newer versions can only be determined by someone who recreates the whole thing with a newer version. I don't have a newer version, but I would like to point this out because I don't assume (as you obviously do) that every bug is automatically fixed in newer versions.

This is a bug where input from the WebBuilder user would have to be filtered in a very specific input field because otherwise the wrong character input would cause a RegEX command to explode in the resulting PHP code. It is possible that this problem has never been discovered before, either because no one has ever entered the backslash character there or because no one has ever reported the problem.

[Pablo]

This is not a bug. The 'Other' field is intentionally used "AS IS". It's up to the user to escape characters and to make sure the input is valid.
If I placed a restrictions on properties this then this could lead to other issues / limitations.

Note that this applies to most properties.

[Markus]

Thanks for the feedback, Pablo.

I assume that WebBuilder is (also) aimed at all those who are not able to program a website in pure HTML, CSS, Javascript, etc., because they do not know HTML, CSS, etc., for example. These people, and I include myself in this, will not know what mechanism you use behind the scenes to implement character validation in the resulting website code. And as a result, these people will also not know what dangers or vulnerabilities exist in this mechanism.

Is it mentioned anywhere that the user should use the Other field at their own risk and that the validation is done with a RexEX expression where the user has to escape certain characters? I haven't found anything about this in the help file.

This was not meant to be a personal attack. However, I was still very emotionally upset when I wrote the first post because I had to put many unpaid hours into a project to find the cause. May I be forgiven. The search for the cause took me so long because I first had to understand the resulting code and had to do a lot of research. i am not a web programmer.

[Pablo]

In general, all values of properties are inserted "AS IS".

Unfortunately, it is not always possible to document every exception for every property because there are thousands of options and millions of possible combinations.
But if something does not work then it's usually best to ask on this forum. then you do not have to spend hours to trying to figure it out yourself.