derhansen / form_crshield Goto Github PK

Hi,
I feedback message “Your message was detected as spam” would be good instead of just displaying the form again when the form was submitted and detected as spam.

Hi Torben!

Are you interested into v10 compatibility? I can provide a PR if you don't mind.

Hi, nice extension!
it works perfectly fine for normal or multistep forms.
Also good to test with disabled javascript.

I got an issue with summary steps though, which seem not to validate.
The $requestArguments are empty in my case so the validation fails in the afterSubmit function with the CR response invalid. Submitted data logs

EXT:form_crshield/Classes/Hooks/Form.php:72

The affected installation is using TYPO3 10.4.37 with PHP 7.4 and helhum/typo3-secure-web 0.3.2.

We have an contact email form there that is using EXT:form and this extension.

With version 1.3.2, I can submit the form (and get the email sent) without problems, and I see the thank-you page of the form.

With version 1.4.0, after submitting, the form gets displayed again (with the data I entered), no email is sent, and this gets logged in the TYPO3 debug log:

Thu, 01 Feb 2024 13:08:54 +0100 [DEBUG] request="19c4ec7b1b692" component="Derhansen.FormCrshield.Hooks.Form": Submitted data - {"text-1":"Oliver Klee","DZ7Fyhu1ivOeLGbaW3nXrmq":"","text-2":"[email protected]","text-3":"+49 +49 123 45678","textarea-1":"Test","cr-field":"MHwyOHA4cjNuMDc0czhxcXMwODU4bnFxNTQ3bzlycDM4M3M1cDk4MG4z"}
Thu, 01 Feb 2024 13:08:54 +0100 [DEBUG] request="19c4ec7b1b692" component="Derhansen.FormCrshield.Hooks.Form": CR response expired. Submitted data - {"text-1":"Oliver Klee","DZ7Fyhu1ivOeLGbaW3nXrmq":"","text-2":"[email protected]","text-3":"+49 +49 123 45678","textarea-1":"Test","cr-field":"MHwyOHA4cjNuMDc0czhxcXMwODU4bnFxNTQ3bzlycDM4M3M1cDk4MG4z"}
Thu, 01 Feb 2024 13:08:54 +0100 [DEBUG] request="19c4ec7b1b692" component="Derhansen.FormCrshield.Hooks.Form": CR response expired. Submitted data - {"text-1":"Oliver Klee","DZ7Fyhu1ivOeLGbaW3nXrmq":"","text-2":"[email protected]","text-3":"+49 123 45678","textarea-1":"Test","cr-field":"MHwyOHA4cjNuMDc0czhxcXMwODU4bnFxNTQ3bzlycDM4M3M1cDk4MG4z"}

(What stands out to me there is the "CR response expired" message.)

I've checked that FormCrShield.js gets loaded when I load the page and that there are no errors or warnings in the browser console.

Is this a bug, or has version 1.4.0 some breaking change that requires changes to the extension configuration?

And how can I help debug this?

Always write POST data for the current page to debug log

With https://review.typo3.org/c/Packages/TYPO3.CMS/+/82416 the internal function get_cache_timeout() form TSFE got declared protected. Thus it is no longer possible to get the calculated cache timeout for a page and this must now be retreived manually.

Use CacheDataCollector API in v13 - see https://review.typo3.org/c/Packages/TYPO3.CMS/+/81801

On Firefox:

Same form in chrome works:

After some modifications the log contains this (for firefox):

// Form.php line 82 ff to get better insight into debugging

        if ($calculatedData !== $clientData) {
            $this->logger->debug(
                'CR response missmatch. Submitted data',
                [
                    'calculatedData' => $calculatedData,
                    'expectedData' => $clientData
                ]
            );
            return '';
        }

Sat, 30 Dec 2023 15:28:02 +0100 [DEBUG] request="6c4e5ff2ae00d" component="Derhansen.FormCrshield.Hooks.Form": CR response missmatch. Submitted data - {"calculatedData":"8111n9r3sr0p5s4p4pr245052nr0669n57s285q9","expectedData":"8111a9e3fe0c5f4c4ce245052ae0669a57f285d9"}

And the js:

```javascript
// FormCrShield.js line 15 - the result was visible in the screencast

      console.log(element.value);

I doubt, some strange bug is causing a difference in the calculation of the javascript. Will try to reproduce that on a clean profile of firefox as well.

Hello, after updating form_crshield from 1.4.0 to 1.4.1 spam messages are not blocked anymore. Downgrading helped.
TYPO3 11.5.35
PHP 8.2

Add a configurable delay for the response calculation, to make it harder for bots with active JavaScript to submit the form

Add acceptance test suites to cover:

• Test different forms with chrome webbrowser (selenium/headless)
• Test different forms with phpbrowser (no JavaScript)

Steps to reproduce:

1. Make a for with just 1 single mandatory field.
2. Submit that form with empty required field
3. You'll land on form with validation errors. Complete requires field and submit.
4. CR validation will fails and none of form's finishers will be executed

From what I can see the reason is following:

1. When form is generated for a first time it generates challene AAA with timestamp 1000.
2. JS transforms it into 1000|BBB
3. On invalid form submit form hook validates str_rot13('BBB')==='AAA' as valid. Anf in the same time generates the new challenge: 2000|CCC
4. Next I'm not sure, but most probably Form applies POST data to the cr-field and fenerates form with required field validation errors. It measn that form sends to client "1000|BBB" as a challenge anstead of new "2000|CCC"
5. JS on the client side transforms "1000|BBB" into "1000|AAA"
6. When client submits data CR from handler retrieves challenge for timestamp 1000 from the request which is "AAA" and fails validation with str_rot13('AAA')!=='AAA'

When the extension is installed, the preview in the form editor is broken. The following javascript error occurs:
Uncaught Error: Could not find form element "cr-field" in path "formName/page-1/cr-field" (1472424334)

If the extension is uninstalled it works.
TYPO3 10.4.32
PHP 7.4

Add a useless/invalid default value to the CD field.

https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Configuration/GlobalVariables.html#confval-EXEC_TIME

Is it possibly to setup a given form that is not protected by this extension even if the extension is installed and present.
I have a form with topwire and summary and sometimes I can´t submit the last step and my guess is that form_crshield is causing this. No issues if I uninstall form_crshield.