hello
Umbraco Forms Documentation | Umbraco Forms doesn’t really have any information about what input validation and sanitisation (if any) that Umbraco Forms has out of the box? Does anybody have any information or know where i could find some? (asking for umbraco forms 13 in particular)
NB I’m not really meaning for the website frontend (via the regex expressions) but on the server side.
Thanks
Hi @shearer3000
I just had a team member asking me the same thing.
I dont have an answer, but i hope someone else have 
I don’t believe there is anything apart from what .NET doesn’t allow you to submit.
Fields will be validated server-side. Any validation you add in the backoffice will apply (independently of the frontend), and will also apply to the headless API.
WRT Sanitisation, it depends what you mean. Can I post something to an Umbraco form that’s immediately dangerous? No. Can I post something that could be dangerous… yes.
Here’s a screengrab from v13 forms in the backoffice.
Out of the box SQLI, XSS, etc. is not something to worry about with Umbraco Forms. I was allowed to post this, but there’s no immediate risk from this unless I then do something with this form data that could allow it to be rendered out unchecked.
You can, and probably should apply a regex to weed out things like the above (if you don’t want them) but it’s not a big deal. IME, as soon as it becomes an actual infosec concern, the experts will want requests posting things like this to be weeded out by the webserver itself or with a WAF - rather than it being an Umbraco Forms concern.
thanks for that info @JasonElkin - very helpful
I have solved this with the following approach
// Add the notification handler - to listen to Umbraco Forms Validation event
builder.AddNotificationHandler<FormValidateNotification, FormValidateNotificationHandler>();
/// <summary>
/// Refered from Docs
/// https://docs.umbraco.com/umbraco-forms/developer/extending/adding-an-event-handler
/// </summary>
public class FormValidateNotificationHandler : INotificationHandler<FormValidateNotification>
{
public void Handle(FormValidateNotification notification)
{
var form = notification.Form;
var httpCtx = notification.Context;
if (notification.ModelState.IsValid == false)
{
return;
}
if (httpCtx.Request.HasFormContentType is false)
{
return;
}
foreach(var field in form.AllFields)
{
if(field is not null)
{
if (FormDoesNotContainField(field, httpCtx))
{
continue;
}
var postedValue = httpCtx.Request.Form[field.Id.ToString()].ToString().Trim();
if (ContainsHtml(postedValue))
{
notification.ModelState.AddModelError(field.Id.ToString(), "HTML is not allowed");
}
}
}
}
private bool FormDoesNotContainField(Field field, HttpContext httpCtx) => httpCtx.Request.Form.Keys.Contains(field.Id.ToString()) is false;
// https://uibakery.io/regex-library/html-regex-csharp
private readonly static Regex _htmlTagRegex = new Regex("<(?:\"[^\"]*\"['\"]*|'[^']*'['\"]*|[^'\">])+>", RegexOptions.Compiled);
private bool ContainsHtml(string input) => _htmlTagRegex.IsMatch(input);
}