quote from nicolai:
"
There are 2 levels of form checks.
First one is the SQL-Injection check - it checks for a range of illegal operations in POSTS and a different set in GET. More is allowed on POSTS than GET, i.e. HTML.
The second level is form antispam that has a number of checks. It only runs on forms from the 2 forms modules - it has these checks:
- These will always be run - even if antispam is disabled
- It has to be a post
- The client needs a User agent
- It needs to have a referer on the header from the same site
- If the post does not have a session already (must have shown a page before the actual post)
- These will be run if antispam is enabled - if any 2 or more fails, the request will be ended.
- It does not allow markup and [url]
- It will not allow the same email address 3 times in the same post
- FormCH1_f - checksum to make sure it is the right form being posted
- FormCH1_s - checksum to see if it is the same session that created the form is also the one posting it
- FormCH1_h - new one, javascript based session checksum
- FormCH1_i - checksum to see if it is the same IP that created the form is also the one posting it
- _sys_to_email is a new field it contains bot@dynamicweb.com. It has to be empty when posted. That is handled by a script in the frontend coming out of the form modules.
"
You said that if any 2 or more fails it will trigger the antispam
Let's focus on field "_sys_to_email ".
I have a few wishes:
1. Can you make it so that if this field "_sys_to_email " fails that antispam is triggered immediately?
2. Can you implement this feature "_sys_to_email" on other modules as wel. Like: forum, item creator, etc. (All modules which have form input.)
3. if antispam is triggered redirect to a page which explains that antispam measures have been taken. This page should be configurable like the 404 page.