Framework: 'Required' validation rule can be bypassed using special unicode spaces

Created on 20 Dec 2018  ·  3Comments  ·  Source: laravel/framework
  • Laravel Version: 5.7.14
  • PHP Version: 7.1.17
  • Database Driver & Version: MySql 15.1

Description:

If using 'required' rule in form validation, it is not possible to enter string with normal unicode spaces. Ex. (" ", " ")

But, if you use special unicode spaces, the validation can be bypassed with string which looks empty. Ex. (" ", " ")

It seems that the validation is only using php's trim() method to remove whitespace, which is not removing all the whitespace by default. The trim method accepts an string of characters as a second argument to determine which characters to trim. Could this be used to fix this or would it be too much of a job to determine which characters to trim?

Is this an Laravels issue or should the choice to trim more special characters be an users problem _(Or maybe an own library for this)_?

picture roitto

All 3 comments

I think the biggest challenge is to agree on what is/should be trimmed.

For example, I've been using this for years (not as part of the validation, but for external data):

    /**
     * Matches what we call "unicode whitespace", i.e. normal ASCII whitespace as well as special
     * unicode control and whitespace properties. Use only in regex with /u modifier!
     *
     * By using:
     * - \pZ we match any kind of whitespace or invisible separator
     * - \p{Cc} we match control characters
     * - \x{feff} we match \uFEFF ; in the past known as BOM
     *
     * http://www.regular-expressions.info/unicode.html has a good overview
     */
    const RE_UNICODE_WS = '[\pZ\p{Cc}\x{feff}]';

    /**
     * Like trim() but also handles unicode specific properties
     *
     * @param string $str
     * @return string
     */
    public static function unicodeTrim($str): string
    {
        $str = preg_replace(
            '/^' . self::RE_UNICODE_WS . '+|' . self::RE_UNICODE_WS . '+$/u',
            ' ',
            $str
        );

        return trim($str);
    }

But is it perfect? Is it correct? Is it missing something? 🤷‍♀️

This really needs people with expertise on it and is best left to dedicated library to be maintained, IMHO.

mfn picture mfn on 20 Dec 2018
👍1

I think this is more of a behavioral change that could be made. It's best to post these at the laravel/ideas repository to get support for your idea. After that you may send a PR to the framework.

Thanks!

driesvints picture driesvints on 20 Dec 2018
👍1

@mfn also some good remarks there 👍

driesvints picture driesvints on 20 Dec 2018
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

klimentLambevski picture klimentLambevski  ·  3Comments
shopblocks picture shopblocks  ·  3Comments
JamborJan picture JamborJan  ·  3Comments
PhiloNL picture PhiloNL  ·  3Comments
Fuzzyma picture Fuzzyma  ·  3Comments