-
Notifications
You must be signed in to change notification settings - Fork 97
Missing server invalidation #42
Comments
I confused as to what you are suggesting that I should improve.
And they both do server side validation! See |
HoneyPotField just checks for the value and not for the existance of the field. In my situation, I had a working contact form without any spam protection. What I suggest, is adding a is_valid method for the Form that will make sure that the honeypot exists but empty. Also, I suggest allowing users to modify or add to this validation |
I think the best way we can resolve this is to add a hook to form clean logic as a signal.. that you could use add additional logic? |
I'm not familiar enough with signals. Also, is there a way to change the honeypot's name/type? |
Re: signal Alternative option would be to allow people to subclass I think that might be a better option. I'm super busy at the moment.. so can't promise to implement anything immediately!
Not at the moment. |
Once a form has been posted, the server does not invalidate it, nor does it provide a method to do so.
This might results in a spamming problem since many spambots simply records the end URL for the POSTed data and use that for posting spam.
In it's easiest form, the server invalidation should have checked that that honeypot field exists and is empty. Otherwise, if honeypot was introduced after the spambot got the URL, it does not protect from spam.
Also, there are many more protections against spamming that could have helped (check out http://nedbatchelder.com/text/stopbots.html)
The text was updated successfully, but these errors were encountered: