[MGNLFORM-178] Form's Honeypot anti-spam - needed improvements Created: 14/Jun/13 Updated: 15/Dec/15 Resolved: 28/Jun/13 |
|
| Status: | Closed |
| Project: | Magnolia Form Module |
| Component/s: | None |
| Affects Version/s: | 1.4.5, 2.0 |
| Fix Version/s: | 1.4.8, 2.0.1 |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Adrien Berthou | Assignee: | Roman Kovařík |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Template: |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Patch included: |
Yes
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
In form.ftl, the input field "dedicated" to fool the robot is hidden. <input type="hidden" name="field" value="" /> A couple of problems I see here: Solution for those problems: <input type="hidden" name="field" id="field" value="" /> #field {
display: none;
}
Note: No idea if making wrapping div hidden (like Cedric did) is a better technique or not. 2. The issue here is that our field here looses its value. And you can't use ${model.value!}
like other "regular" fields do as this field is not a component itself. So I opted for "manual" creation of the field component, that is:
.form-item-hidden,
.form-wrapper input[type=hidden],
.form-wrapper #field,
.form-wrapper label[for=field] {
display: none;
}
The label[for=field] attribute selector is compatible for IE7 and above, see http://www.quirksmode.org/css/selectors/ Improvement: In my case I add this field manually but this could be done automatically via configuration (generator) I think. |
| Comments |
| Comment by Adrien Berthou [ 14/Jun/13 ] |
|
Reated discussions: Related Blog post: |
| Comment by Magnolia International [ 17/Jun/13 ] |
|
Thanks Adrien !
with this
|
| Comment by Adrien Berthou [ 17/Jun/13 ] |
|
You're welcome! Yes, that sounds like a good idea. As I said in the description, adding the field via generator could also be cool but it would not let the user the option to opt-out. Up to you guys really, I like both solution but yours seems more user friendly |
| Comment by Roman Kovařík [ 28/Jun/13 ] |
|
Added new custom honeypot form field with its own default validation for emptiness. |
| Comment by Adrien Berthou [ 06/Nov/13 ] |
|
Hi Gregory, Just tried your implementation of the Honeypot. It seems like you decided to go the solution I suggested "2.2 In edit mode of your form page, create a text field with "Field Label"=field, and "Field Name"=field" But the fact that the field label & name should be called "field" is not documented anywhere. Which results in having no validation at all on the honeypot field. See: |