Disallow URLs in text form fields to deter forum-spambot posting links

[gl636474]

See https://alanstorm.com/magento-custom-form-validation to create validators to fail if a name/address/etc contains http:// or https://.

[gl636474]

Must either:

1. Modify Magento string validators to exclude https?://
2. Create a custom validator and add it to existing forms.
3. Create a custom JS file to search for forms and fields by name and add the new validator if found.

(1) might have some undesired side effects e.g. in little used forms (2) might involve overriding a LOT of standard Magento .phtml files and blocks (3) might not be obvious what is happening from looking at the .phtml but does not suffer the same issues as the other two options

[gl636474]

(3) still needs to override something to include the extra JS file!

[gl636474]

See https://magento.stackexchange.com/questions/131056/how-to-add-js-file-in-frontend-for-all-pages

This does it using requires - essentially our module's require.js file is picked up by the Magento system and acted upon.

[gl636474]

Don't know how to programmatically get names of all forms and fields in real time. System config screen will have to have text fields for the names of forms and fields to add no-url validation to.

Or perhaps do a code scrape for frontend <form> and <input> and have those as presets in selects with additional text fields for 3rd party extensions.

[gl636474]

See https://github.com/magento/magento2/issues/7266.

Basically, and validation done in JS can be circumvented - bot can direct POST. Extra validation needs to be done server side - e.g. in controller.

To override controller: https://inchoo.net/magento/overriding-magento-blocks-models-helpers-and-controllers/

New customer is created in Customer/controllers/AccountController::createPostAction(). Specifically this call in _getCustomerErrors($customer):

$customerForm->compactData($customerData); 

is what actually copies values from request/form to model registered in the Form Block. This model instance is retrieved by the controller in the _getCustomer() function:

$customer = $this->_getFromRegistry('current_customer');
// ...
return $customer;

[cbichis]

This improvement/bug fix is a good idea as a lot of bots are trying to make use of poorly protected Magento's. And not always is possible to use Captcha.

[gl636474]

This issue was fixed by creation of a separate extension for Magento 1.9: https://github.com/gl636474/SpamProtect

Thanks cbichis for your comment.

[gl636474]

SpamProtect initially deployed 12 June at 20:41.

[gl636474]

Until 15 June, only one spam customer. Said customer did not have a URL in any part of the name but had just random letters as the name and a valid-formatted email address.