Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • May 26, 2019 at 10:45 am #1104283
    betaphase

    HI Guys,

    In the “class-form-generator.php” file, starting at line 794 you have a filter callback that allows us to change the value of $proceed (true/false). However, you have code immediately following the callback that can alter the value of $proceed (line 798). So if I want to prevent emails that contain certain words from being sent and I return false from my filter callback when a bad word is detected, $this->check_recaptcha_token( $new_post[‘label_input’] ) could potentially switch $proceed back to true and render my filter useless:

    			//hook to stop execution here and do something different with the data
			$proceed = apply_filters( 'avf_form_send', true, $new_post, $this->form_params, $this );
			
			if( $this->is_recaptcha() ) {
				$proceed = $this->check_recaptcha_token( $new_post['label_input'] ); // <--- this line renders any change to the value of $proceed in the callback filter useless!
				
				if( $proceed ) {
					delete_transient( 'avia_recaptcha_transient_' . $proceed );
				}
			}
			if( ! $proceed )
			{
				if( is_null( $proceed ) )
				{
					return false;
				}
				else
				{
					return true;
				}
			}

    The filter can only return true or false, so the only thing I can do is exit(); instead of allowing Enfold’s process for preventing the submission.

    Great product. I have purchased several installs because it’s so versatile! Keep up the good work.

    Thanks,
    Andy

    May 30, 2019 at 5:20 am #1105331
    Ismael

    Hey betaphase,

    Thanks for the update.

    We are currently improving the reCATPCHA option in the theme. Are you using it for your contact form? The following line will only be executed if the option is enabled.

    if( $this->is_recaptcha() ) {
				$proceed = $this->check_recaptcha_token( $new_post['label_input'] ); // <--- this line renders any change to the value of $proceed in the callback filter useless!

				if( $proceed ) {
					delete_transient( 'avia_recaptcha_transient_' . $proceed );
				}
			}

    Best regards,
    Ismael

    May 30, 2019 at 9:05 am #1105391
    betaphase

    This isn’t a support request, rather, I’m explaining why the position of the line below is flawed. It is only reliable IF reCAPTCHA is disabled, and will fail if it’s enabled. You should fix this.
    $proceed = apply_filters( 'avf_form_send', true, $new_post, $this->form_params, $this );

    • This reply was modified 5 years, 5 months ago by betaphase.
    May 31, 2019 at 5:28 am #1105591
    Ismael

    Hi,

    Thank you for the clarification. We’ll forward that to the dev team.

    We will probably add another filter right after the recaptcha authentication. Something like this:

    $proceed = $this->check_recaptcha_token( $new_post['label_input'] );

if( $proceed ) {
	delete_transient( 'avia_recaptcha_transient_' . $proceed );
        $proceed = apply_filters( 'avf_form_send_recaptcha_authenticated', true, $new_post, $this->form_params, $this );
}

    That should allow you to change the value of the $proceed based on certain conditions even when the spam protection is enabled.

    Best regards,
    Ismael

    May 31, 2019 at 11:44 am #1105658
    betaphase

    Yeah that makes sense. Thanks for passing it along!

    May 31, 2019 at 4:05 pm #1105724
    Jordan Shannon

    Hi,

    Did you need additional help or shall we close this topic?

    Best regards,
    Jordan Shannon

    May 31, 2019 at 4:55 pm #1105751
    betaphase

    Close away! Thanks.

    May 31, 2019 at 5:07 pm #1105757
    Jordan Shannon

    Hi,

    If you need additional help, please let us know here in the forums.

    Best regards,
    Jordan Shannon

  • Author
    Posts
Viewing 8 posts - 1 through 8 (of 8 total)
  • The topic ‘Form submission filter flaw (or feature request ;-))’ is closed to new replies.