Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #1104283

    HI Guys,

    In the “class-form-generator.php” file, starting at line 794 you have a filter callback that allows us to change the value of $proceed (true/false). However, you have code immediately following the callback that can alter the value of $proceed (line 798). So if I want to prevent emails that contain certain words from being sent and I return false from my filter callback when a bad word is detected, $this->check_recaptcha_token( $new_post[‘label_input’] ) could potentially switch $proceed back to true and render my filter useless:

    			//hook to stop execution here and do something different with the data
    			$proceed = apply_filters( 'avf_form_send', true, $new_post, $this->form_params, $this );
    			
    			if( $this->is_recaptcha() ) {
    				$proceed = $this->check_recaptcha_token( $new_post['label_input'] ); // <--- this line renders any change to the value of $proceed in the callback filter useless!
    				
    				if( $proceed ) {
    					delete_transient( 'avia_recaptcha_transient_' . $proceed );
    				}
    			}
    			if( ! $proceed )
    			{
    				if( is_null( $proceed ) )
    				{
    					return false;
    				}
    				else
    				{
    					return true;
    				}
    			}
    
    

    The filter can only return true or false, so the only thing I can do is exit(); instead of allowing Enfold’s process for preventing the submission.

    Great product. I have purchased several installs because it’s so versatile! Keep up the good work.

    Thanks,
    Andy

    #1105331

    Hey betaphase,

    Thanks for the update.

    We are currently improving the reCATPCHA option in the theme. Are you using it for your contact form? The following line will only be executed if the option is enabled.

    if( $this->is_recaptcha() ) {
    				$proceed = $this->check_recaptcha_token( $new_post['label_input'] ); // <--- this line renders any change to the value of $proceed in the callback filter useless!
    
    				if( $proceed ) {
    					delete_transient( 'avia_recaptcha_transient_' . $proceed );
    				}
    			}
    

    Best regards,
    Ismael

    #1105391

    This isn’t a support request, rather, I’m explaining why the position of the line below is flawed. It is only reliable IF reCAPTCHA is disabled, and will fail if it’s enabled. You should fix this.
    $proceed = apply_filters( 'avf_form_send', true, $new_post, $this->form_params, $this );

    • This reply was modified 5 years, 6 months ago by betaphase.
    #1105591

    Hi,

    Thank you for the clarification. We’ll forward that to the dev team.

    We will probably add another filter right after the recaptcha authentication. Something like this:

    $proceed = $this->check_recaptcha_token( $new_post['label_input'] );
    
    if( $proceed ) {
    	delete_transient( 'avia_recaptcha_transient_' . $proceed );
            $proceed = apply_filters( 'avf_form_send_recaptcha_authenticated', true, $new_post, $this->form_params, $this );
    }

    That should allow you to change the value of the $proceed based on certain conditions even when the spam protection is enabled.

    Best regards,
    Ismael

    #1105658

    Yeah that makes sense. Thanks for passing it along!

    #1105724

    Hi,

    Did you need additional help or shall we close this topic?

    Best regards,
    Jordan Shannon

    #1105751

    Close away! Thanks.

    #1105757

    Hi,

    If you need additional help, please let us know here in the forums.

    Best regards,
    Jordan Shannon

Viewing 8 posts - 1 through 8 (of 8 total)
  • The topic ‘Form submission filter flaw (or feature request ;-))’ is closed to new replies.