It turns out that the implementation of the UKWA-UI web forms never properly implemented ReCAPTCHA validation. It's only done in the client, and the server-side part (validating g-recaptcha-response) was never implemented.
Also, if any of the form input gets placed in the response page without escaping, that might lead to cross-site scripting problems. Review if any form input gets rendered back again, and either drop it, or escape it.
It turns out that the implementation of the UKWA-UI web forms never properly implemented ReCAPTCHA validation. It's only done in the client, and the server-side part (validating
g-recaptcha-response
) was never implemented.i.e. implement https://developers.google.com/recaptcha/docs/verify not just https://developers.google.com/recaptcha/docs/display
We can reuse some standard Java like this: https://stackoverflow.com/questions/47622506/how-to-validate-recaptcha-v2-java-servlet ... As long as we also pass in the server-side secret via an environment variable.
Also, if any of the form input gets placed in the response page without escaping, that might lead to cross-site scripting problems. Review if any form input gets rendered back again, and either drop it, or escape it.