[TYPO3-typo3org] buzz.typo3.org: Posting form allows HTML tags

Dmitry Dulepov dmitry at typo3.org
Tue Jan 23 10:22:26 CET 2007


Dmitry Dulepov wrote:
> Hi!
> 
> Thomas Hempel wrote:
>>> Do you have a patched ve_guestbook for download? :)
>> Unfortunately not but all I changed is the template which can be 
>> downloaded here now:
>>
>> http://www.typo3-unleashed.net/singleentry.html?&tx_ttnews[tt_news]=612&tx_ttnews[backPid]=24&cHash=b0c4d70035 

I still got spam posted... If action field is empty (or even 
about:blank), spam just goes to current page, which is exactly what 
spammers need to do...

So I changed tx_veguestbook_pi1[submitted] to empty value and set this 
value to 1 in the script, when timeout finishes. Even that did not help, 
I still got fresh portion of spam here:
http://typo3bloke.net/post-details/archive/2006/august/18/my_google_notebooks/index.htm

It seems like this is either a very clever robot or that spammer uses 
browser to simulate correct behaviour.

I do not want to use captcha and now think about other solutions. One is 
simple computational expression for submitter, another is much more 
sophisticated: integrating SpamAssassin to check for spam. This looks 
better: comment will be posted but hidden and approval message can be 
sent to site owner, like in wordpress. The only problem is that it 
requires changes (hook) in ve_guestbook. I already started working on 
this second thing...

-- 
Dmitry Dulepov

Web: http://typo3bloke.net/
Skype: callto:liels_bugs

"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)


More information about the TYPO3-team-typo3org mailing list