I've got an external form and I use the process.php method for submissions.
Unfortunately, if JS is disabled in the browser, there is no g-recaptcha-response in the submitted form data and as such the reCaptcha check is bypassed allowing people to spam the form.
Wouldn't it make sense for the following line in Submissions.class.php
if (isset($api_enabled) && isset($form_data["g-recaptcha-response"])) {
to check if the 2 recaptcha config variables are set instead.
if (isset($api_enabled) && ! empty(Core::getAPIRecaptchaSecretKey()) && ! empty(Core::getApiRecaptchaSiteKey())) {
I've got an external form and I use the process.php method for submissions.
Unfortunately, if JS is disabled in the browser, there is no g-recaptcha-response in the submitted form data and as such the reCaptcha check is bypassed allowing people to spam the form.
Wouldn't it make sense for the following line in Submissions.class.php
to check if the 2 recaptcha config variables are set instead.