search

Sterc / FormIt

A dynamic form processing Snippet for MODX Revolution
https://docs.modx.com/current/en/extras/formit
33 stars 58 forks source link

Spam hook not working? #185

Closed Tyreal74 closed 5 years ago

Tyreal74 commented 6 years ago

Formit Version 4.10 Modx: 2.6.5 PHP: 7 -enforced by htaccess as per hosts instructions.

Updated the website to 2.6.5 as per security announcment; Updated all Extras to most recent version including FormIt to 4.10

Recently had a spate of spam emails so had to disable the contact forms, when i got around to investigating discovered that the honeypot on the form isn't being respected:

FormIt Code below:

[[!FormIt?` 
&hooks=`math,spam,email` 
&emailTpl=`FormTpl` 
&errTpl=`[[+error]]`
&emailTo=`xxx@xxx.com`
&emailFrom=`xxx@xxx.com`
&emailFromName=`Company Name`
&emailSubject=`Contacting via web-form: Contact Us` 
&successMessagePlaceholder=`fi.successMessage`
&successMessage=`Thank you for your message, a representative will be in touch.` 
&store=`1` 
&emailHtml=`1`
&redirectTo=`191`
&mathMinRange=`1`
&mathMaxRange=`10`
&validate=`math:required,
           name:required,
                   email:email:required,
                   message:stripTags:required,
           xjdhbg:blank`
]]

HTML for the email section


<label for="email">Email [[!+fi.error.email:notempty=`[[!+fi.error.email]]`]]</label>
 <input type="email" name="email" id="email" value="[[+fi.email]]" required>
<input type="email" name="xjdhbg" value="[[+fi.xjdhbg]]" class="visuallyhidden" autocomplete="off" placeholder="P l e a s e  l e a v e  e m p t y!">

 <div class="clear"></div>

<label>[[!+fi.op1]] [[!+fi.operator:is=`-`:then=`minus`:else=`plus`]] [[!+fi.op2]]?</label>
[[!+fi.error.math]]

<input type="text" name="math" value="[[!+fi.math]]" />

 <div class="clear"></div>
<button type="submit" class="submitbutton" role="button">Submit Message</button>

Email submits every time, when the math capture is correct, but if i remove the math capture and rely soley on the honeypot email, the email is submitted every time as per the email response:

Name: Name
Phone: Phone
Email: xxxx@xxxx.com 
Message: 
Test Message

Honeypot Email:  xxxx@xxxx.com
Math Result: 6

I have tested this manually by dropping all CSS out of the page and using autocomplete and also typing the email addresses and details manually and each time the submission is approved.

Thanks

MrRoco commented 5 years ago

@Tyreal74 The spam hook does not check the email!

The spam hook will check all the fields specified in the property spamEmailFields against a spam filter via StopForumSpam. If the user is flagged as a spammer, it will show an error message for that field checked.

See for more info: https://docs.modx.com/extras/revo/formit/formit.hooks/formit.hooks.spam

hugopeek commented 4 years ago

@MrRoco I think @Tyreal74 means the xjdhbg:blank validator in his example. I'm seeing the same thing on a few sites. Lots of submitted spam entries with the honeypot field filled in.

Just tested it again with latest FormIt, MODX 2.7.2, PHP7.3. Same thing: form gets send with filled honeypot field.

hugopeek commented 4 years ago

Ok, in my case it was stumbling over the following:

&validate=`
        fb[[*id]]-email:email:required,
        [[$fbValidateCustomFields:notempty=`[[$fbValidateCustomFields]],`]]
        workemail:blank`

The chunk fbValidateCustomFields can contain extra validation rules, but if the chunk doesn't exist, it somehow prevents the workemail:blank rule from firing.

Adding the comma outside of the :notempty statement or creating an empty fbValidateCustomFields chunk solves the issue.

But it still doesn't explain why @Tyreal74's code is not working, assuming that his validation rules are formatted like that, with a comma as last character before the xjdhbg:blank rule.