Developer forum

If you disable it totally or put the field name in the exception list, it should Work.

Be aware of casing and make sure it is a POST. Make sure the form is generated by the forms module - if you hardcode the hidden fields named FormCH1_f, FormCH1_s, FormCH1_i it will also fail.

Also in management center you can add an email to send a report to if something gets caught. Try that and see if you get and email. It could also be something else catching the form.

If you trace the post with fiddler or similar, you can se on the response headers where the 404 comes from. It will say something like "DW inj.check" - if not, the 404 is from somewhere else.

BR Nicolai

I was a bit confused. When i disable the "Spam check" then the form submits.

I do not want to do this in production of course.

On the previous dw version i did not have this spam check being triggered.

There is sent a spam email indeed. Subject = "... Bad form (((\%3C)|<|\[)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>|\])) Bad form (EMAIL ADDED) "

The spam check "Bad form (EMAIL ADDED)" is new i guess?

"Ignore the following fields" is not ment for by passing the Spam check?

It would be nice if we could exclude fields from being spam checked as wel.

There is a new field "_sys_to_email" on the form with value "bot@dynamicweb.com".

What is this for?

Can someone explain the extended spam checking and this new sys email field? Thanks.

Hi Remi

There are 2 levels of form checks.

First one is the SQL-Injection check - it checks for a range of illegal operations in POSTS and a different set in GET. More is allowed on POSTS than GET, i.e. HTML.

The second level is form antispam that has a number of checks. It only runs on forms from the 2 forms modules - it has these checks:

• These will always be run - even if antispam is disabled
  • It has to be a post
  • The client needs a User agent
  • It needs to have a referer on the header from the same site
  • If the post does not have a session already (must have shown a page before the actual post)
• These will be run if antispam is enabled - if any 2 or more fails, the request will be ended.
  • It does not allow markup and [url]
  • It will not allow the same email address 3 times in the same post
  • FormCH1_f - checksum to make sure it is the right form being posted
  • FormCH1_s - checksum to see if it is the same session that created the form is also the one posting it
  • FormCH1_h - new one, javascript based session checksum
  • FormCH1_i - checksum to see if it is the same IP that created the form is also the one posting it
  • _sys_to_email is a new field it contains bot@dynamicweb.com. It has to be empty when posted. That is handled by a script in the frontend coming out of the form modules.

Hope this clarifies.

Nicolai

Hi Nicolai,

This is great to know, but can you tell me what js file and/or how the script that handles the email is rendered?

I cannot see it, with and without "Disable DWScript.js on layouts"  checkbox enabled. Using verion 8.3.0.7

Best Regards,

Nuno

the js comes inline witht the validation scripts in the forms module - and only in 8.3.1+

Thanks Nicolai. I was under the impression it was for 8.3

Thanks for the explanation!

It is currently not possible to exclude fields from spam checking.

By passing fields only works if you do not want a sql injection check. Right?

Is it possible that DW adds functionality to by pass fields from spam checking?

Hi Remi

Yes only possible to bypass SQL injection.

Will add the option to do it for spam checking as well - hopefully for 8.4.

BR Nicolai