derhansen / form_crshield Goto Github PK
View Code? Open in Web Editor NEWChallenge/response spam shield for TYPO3 form extension
License: GNU General Public License v2.0
Challenge/response spam shield for TYPO3 form extension
License: GNU General Public License v2.0
Hi,
I feedback message “Your message was detected as spam” would be good instead of just displaying the form again when the form was submitted and detected as spam.
Hi Torben!
Are you interested into v10 compatibility? I can provide a PR if you don't mind.
Hi, nice extension!
it works perfectly fine for normal or multistep forms.
Also good to test with disabled javascript.
I got an issue with summary steps though, which seem not to validate.
The $requestArguments
are empty in my case so the validation fails in the afterSubmit function with the CR response invalid. Submitted data
logs
EXT:form_crshield/Classes/Hooks/Form.php:72
The affected installation is using TYPO3 10.4.37 with PHP 7.4 and helhum/typo3-secure-web
0.3.2.
We have an contact email form there that is using EXT:form and this extension.
With version 1.3.2, I can submit the form (and get the email sent) without problems, and I see the thank-you page of the form.
With version 1.4.0, after submitting, the form gets displayed again (with the data I entered), no email is sent, and this gets logged in the TYPO3 debug log:
Thu, 01 Feb 2024 13:08:54 +0100 [DEBUG] request="19c4ec7b1b692" component="Derhansen.FormCrshield.Hooks.Form": Submitted data - {"text-1":"Oliver Klee","DZ7Fyhu1ivOeLGbaW3nXrmq":"","text-2":"[email protected]","text-3":"+49 +49 123 45678","textarea-1":"Test","cr-field":"MHwyOHA4cjNuMDc0czhxcXMwODU4bnFxNTQ3bzlycDM4M3M1cDk4MG4z"}
Thu, 01 Feb 2024 13:08:54 +0100 [DEBUG] request="19c4ec7b1b692" component="Derhansen.FormCrshield.Hooks.Form": CR response expired. Submitted data - {"text-1":"Oliver Klee","DZ7Fyhu1ivOeLGbaW3nXrmq":"","text-2":"[email protected]","text-3":"+49 +49 123 45678","textarea-1":"Test","cr-field":"MHwyOHA4cjNuMDc0czhxcXMwODU4bnFxNTQ3bzlycDM4M3M1cDk4MG4z"}
Thu, 01 Feb 2024 13:08:54 +0100 [DEBUG] request="19c4ec7b1b692" component="Derhansen.FormCrshield.Hooks.Form": CR response expired. Submitted data - {"text-1":"Oliver Klee","DZ7Fyhu1ivOeLGbaW3nXrmq":"","text-2":"[email protected]","text-3":"+49 123 45678","textarea-1":"Test","cr-field":"MHwyOHA4cjNuMDc0czhxcXMwODU4bnFxNTQ3bzlycDM4M3M1cDk4MG4z"}
(What stands out to me there is the "CR response expired" message.)
I've checked that FormCrShield.js
gets loaded when I load the page and that there are no errors or warnings in the browser console.
Is this a bug, or has version 1.4.0 some breaking change that requires changes to the extension configuration?
And how can I help debug this?
Always write POST data for the current page to debug log
With https://review.typo3.org/c/Packages/TYPO3.CMS/+/82416 the internal function get_cache_timeout()
form TSFE got declared protected. Thus it is no longer possible to get the calculated cache timeout for a page and this must now be retreived manually.
Use CacheDataCollector API in v13 - see https://review.typo3.org/c/Packages/TYPO3.CMS/+/81801
On Firefox:
Same form in chrome works:
After some modifications the log contains this (for firefox):
// Form.php line 82 ff to get better insight into debugging
if ($calculatedData !== $clientData) {
$this->logger->debug(
'CR response missmatch. Submitted data',
[
'calculatedData' => $calculatedData,
'expectedData' => $clientData
]
);
return '';
}
Sat, 30 Dec 2023 15:28:02 +0100 [DEBUG] request="6c4e5ff2ae00d" component="Derhansen.FormCrshield.Hooks.Form": CR response missmatch. Submitted data - {"calculatedData":"8111n9r3sr0p5s4p4pr245052nr0669n57s285q9","expectedData":"8111a9e3fe0c5f4c4ce245052ae0669a57f285d9"}
And the js:
```javascript
// FormCrShield.js line 15 - the result was visible in the screencast
console.log(element.value);
I doubt, some strange bug is causing a difference in the calculation of the javascript. Will try to reproduce that on a clean profile of firefox as well.
Hello, after updating form_crshield from 1.4.0 to 1.4.1 spam messages are not blocked anymore. Downgrading helped.
TYPO3 11.5.35
PHP 8.2
Add a configurable delay for the response calculation, to make it harder for bots with active JavaScript to submit the form
Add acceptance test suites to cover:
Steps to reproduce:
From what I can see the reason is following:
When the extension is installed, the preview in the form editor is broken. The following javascript error occurs:
Uncaught Error: Could not find form element "cr-field" in path "formName/page-1/cr-field" (1472424334)
If the extension is uninstalled it works.
TYPO3 10.4.32
PHP 7.4
Add a useless/invalid default value to the CD field.
Is it possibly to setup a given form that is not protected by this extension even if the extension is installed and present.
I have a form with topwire and summary and sometimes I can´t submit the last step and my guess is that form_crshield is causing this. No issues if I uninstall form_crshield.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.