[MGNLFORM-178] Form's Honeypot anti-spam - needed improvements Created: 14/Jun/13  Updated: 15/Dec/15  Resolved: 28/Jun/13

Status: Closed
Project: Magnolia Form Module
Component/s: None
Affects Version/s: 1.4.5, 2.0
Fix Version/s: 1.4.8, 2.0.1

Type: Bug Priority: Neutral
Reporter: Adrien Berthou Assignee: Roman Kovařík
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MGNLFORM-210 Pluggable Spam detection mechanism fo... Closed
causality
is causing MGNLFORM-275 Skip validation of empty non-mandator... Closed
dependency
depends upon MGNLSTK-1201 Css style for form honey pot Closed
depends upon MGNLSTK-1209 Css style for form honey pot Closed
documentation
to be documented by DOCU-447 New Form Honeypot component Closed
relation
is related to MGNLFORM-191 Honeypot feature not installed on upd... Closed
is related to MGNLFORM-188 Honeypot feature needs label for scre... Closed
Template:
Patch included:
Yes
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

In form.ftl, the input field "dedicated" to fool the robot is hidden.

<input type="hidden" name="field" value="" />

A couple of problems I see here:
1. The "hidden" type can be detected easily by a bot.
2. Once the form is submitted the first time by a bot, it is then redirected to the form page again. All the form fields are filled in EXCEPT the hidden field (it then has an empty value!). So if the bot resubmit the form a second time (without entering any value in any field) the form is then processed. You can test this by editing the form hidden field using your dev tool, submit, then resubmit.

Solution for those problems:
1. Moving to a CSS based solution seems sensible (see Cedric's post): the bot having more trouble to find out when a field is hidden via a separate CSS file.

<input type="hidden" name="field" id="field" value="" />
#field {
  display: none;
}

Note: No idea if making wrapping div hidden (like Cedric did) is a better technique or not.

2. The issue here is that our field here looses its value. And you can't use

${model.value!}

like other "regular" fields do as this field is not a component itself.

So I opted for "manual" creation of the field component, that is:
2.1 Remove from form.ftl: [code]<input type="hidden" name="field" value="" />[/code]
2.2 In edit mode of your form page, create a text field with "Field Label"=field, and "Field Name"=field
2.3 Since the field gets also assigned an id of value "field" (same as "Field Name" value), we can then hide it in style.css

.form-item-hidden,
.form-wrapper input[type=hidden],
.form-wrapper #field,
.form-wrapper label[for=field] {
   display: none;
}

The label[for=field] attribute selector is compatible for IE7 and above, see http://www.quirksmode.org/css/selectors/

Improvement: In my case I add this field manually but this could be done automatically via configuration (generator) I think.
http://documentation.magnolia-cms.com/templates/stk/template-definitions.html#Autogeneratedcomponents
http://wiki.magnolia-cms.com/display/WIKI/Extending+the+stkArticle+template#ExtendingthestkArticletemplate-Addanautogeneratedcomponent



 Comments   
Comment by Adrien Berthou [ 14/Jun/13 ]

Reated discussions:
http://forum.magnolia-cms.com/forum/thread.html?threadId=37af0af5-74c0-4b15-acea-0bc24dc31319
http://wiki.magnolia-cms.com/display/DEV/Spam+handling

Related Blog post:
http://haacked.com/archive/2007/09/10/honeypot-captcha.aspx

Comment by Magnolia International [ 17/Jun/13 ]

Thanks Adrien !
This however seems to imply that authors need to know about the intricacies of the honey pot, which is probably not a realistic expectation. How about we replace this

2.2 In edit mode of your form page, create a text field with "Field Label"=field, and "Field Name"=field

with this

2.2 In edit mode of your form page, create an "honey pot" field (i.e a new, explicitly named, field type)

Comment by Adrien Berthou [ 17/Jun/13 ]

You're welcome!

Yes, that sounds like a good idea.

As I said in the description, adding the field via generator could also be cool but it would not let the user the option to opt-out.

Up to you guys really, I like both solution but yours seems more user friendly

Comment by Roman Kovařík [ 28/Jun/13 ]

Added new custom honeypot form field with its own default validation for emptiness.
We need to hide it by css, see MGNLSTK-1201.

Comment by Adrien Berthou [ 06/Nov/13 ]

Hi Gregory,

Just tried your implementation of the Honeypot. It seems like you decided to go the solution I suggested

"2.2 In edit mode of your form page, create a text field with "Field Label"=field, and "Field Name"=field"

But the fact that the field label & name should be called "field" is not documented anywhere. Which results in having no validation at all on the honeypot field.

See:
http://documentation.magnolia-cms.com/display/DOCS45/Form+components#Formcomponents-Honeypotfield
http://documentation.magnolia-cms.com/display/DOCS/Form+components#Formcomponents-Honeypotfield

Generated at Mon Feb 12 05:37:37 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.