RecaptchaValidator validates with empty value

evoWeb / recaptcha

TYPO3 Extension to make use of googles nocaptcha

GNU General Public License v2.0

5 stars 18 forks source link

RecaptchaValidator validates with empty value #29

Closed dogawaf closed 5 years ago

dogawaf commented 5 years ago

IHMO the RecaptchaValidator should have $acceptsEmptyValues = false

Without it, a form is valid even if no captcha challenge is posted.

garbast commented 5 years ago

The validator does not use a value that could be handed to the validator instead takes the g-recaptcha-response from the request. If you change "$acceptsEmptyValues = false" you will never get a valid result because the empty check preemptivly denys validity

dogawaf commented 5 years ago

~~But, actually, if no g-recaptcha-response is posted, the form is considered valid. It should not.~~

dogawaf commented 5 years ago

The input in the form contains always 1 as value. So the validator must always validate this field.

<input id="contact-recaptcha" type="hidden" name="tx_form_formframework[contact][recaptcha]" value="1">

Actually, if this field is omitted (by a robot), then the recaptchaValidator is not called. The form should not be valid if either :

the tx_form_formframework[contact][recaptcha] is empty
the g-recaptcha-response from the request is empty
the g-recaptcha-response from the request is not validated by google

garbast commented 5 years ago

I agree with you for when the normal visible recaptcha is used. But there is also an invisble version configurable and then the field not present. To cover that problem i change the validator to get the g-recaptcha-response as value. Would be nice if you could confirm it on your installation.