Developer forum

Forum » CMS - Standard features » Forms For Editors - validate submited fields

Forms For Editors - validate submited fields

E-mail notifications
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Reply
Posted on 16/03/2020 20:40:03

Hi,

 

We have a customer with some forms being hit by some spammers, and I belive their trick is to use JS to remove the "required" attributes and/or remove the fields they don't want to submit.

 

Looking at logs, I see some values are NULL instead of empty, the session did not identify it as a bot, and there are at least 3 pageviews associated with that session.

 

That led me to do a simple test by removing the required attribute using DeveloperTools to see how DW behaved. The form was submitted successfully. So my question is, shouldn't DW validate:

  • If the submitted field was required, but the value is empty or null, return an error?
  • Cross check the parameters in the request vs the fields in Forms for editors?

 

Any change this is a bug? Or a new feature that needs to be implemented?

 

Best Regards,

Nuno Aguiar

 

 

 


Replies

 
Nicolai Pedersen
Posted on 17/03/2020 08:18:18
Reply

Hi Nuno

Then they will just write "-" or "asdf" in the field. So I am not sure it would help a lot and a lot of forms will rely on being able to manipulate fields.

I would like to see the forms that have been submitted. Can you provide me with a link?

BR Nicolai

 
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Posted on 17/03/2020 10:37:23
Reply

Hi Nicolai,

 

I can see your point about the "required" attribute, but checking the submitted fields vs what's configured in Forms for Editors may be worth it.

I understand there may be customers who have a form with 20 fields and a template that only renders 15, in which case would clash with the validation I am proposing, but one could argue they should be rendering all fields OR disable them in the backend.

 

I'll send you an email with the link for the site and instructions to get to one of the offenders.

 

Best Regards,

Nuno Aguiar

 
Nicolai Pedersen
Posted on 17/03/2020 10:46:56
Reply

Thanks - looked at it.

Did you try to activate the antispam feature of forms? See dump

BR Nicolai

Capture.JPG
 
Nicolai Pedersen
Posted on 17/03/2020 10:47:20
Reply

And enable SQL injection checks...?

 
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Posted on 17/03/2020 11:51:09
Reply

Hi Nicolai,

 

I could have sworn those were properly activated 

 

I made the changes to both antispam and SQL Injections and see if it still keeps happening.

 

Thanks,

Nuno Aguiar

 
Nicolai Pedersen
Posted on 17/03/2020 11:53:54
Reply

wink

 

You must be logged in to post in the forum