Form can be submitted without completing the captcha challenge!

Hello everyone,

My contact form is a simple form using a post webhook.

I recently noticed receiving a lot of marketing e-mails from my website, which was strange because I am having CAPTCHA. Then I did some digging and found out: The form can be submitted without completing the CAPTCHA challenge !

Any idea how to fix this ?

Make sure the Recapture Bric is nested within the Form container:

Screenshot 2022-06-30 at 17.14.31
Screenshot 2022-06-30 at 17.14.41 1

Should I delete the bloc and try again or is this a bug related to custom post address ?

I would suggest to set to Self Hosted and seeing if the issue persists. I see you have a class applied to the whole form container. Not sure what that one does though. :thinking:

@Jerry CAPTCHA is working with the Self Hosted option, so I ended up reporting it as a bug. Thank you for collaborating on this one

1 Like

The captcha code has to be evaluated server side. That can only be done when using the build in PHP form.

How should a client side POST be able to evaluate the captcha code correctly? Would be too easy to spoof that.

So what ? The POST should run server side as well

?

Just trying to help.

Most probably not on the same page I guess.

At the end only @Norm can answer.

Edit: never mind, if you’re going to be short with people trying to help.

All the best.

Apologies, that did not come out well.

In a more detailed description, the fact that CAPTCHA needs to be evaluated on the server should not have an impact on the POST call. After all, a BlocsApp user should not really care about how it’s done. Expected behavior (mine at least) would be CAPTCHA to also protect the webhook, which is actually the behavior of any other online form I have worked with.

You’re not using the Blocs built in form handler correct?

Hi @PeteSharp

I think I do

Screenshot 2022-07-02 at 13.01.41
Screenshot 2022-07-02 at 13.02.47

I’m talking about the form.

Hi @PeteSharp, thank you for contributing !

Not sure what the question is. Do the following screenshots answer your question ? Everything I am using is the defaults, except from POST instead of self hosted

As I understand it, blocs generates the form handler (PHP file) with the fields inside the form. If you have the captcha bric in there, it also adds the code required to process the challenge (all sever side, as Jannis was saying).

Since you are using your own “form handler”. You will need to add captcha support into your code.

1 Like

Thank you for the recommendation @PeteSharp, I will implement the CAPTCHA verification on my side of things. I still do not consider this to be the expected behaviour, but a walk-around.

Any idea how to show an ‘Invalid CAPTCHA’ message in the web form if the challenge is not passed ? I assume my webhook should response 401 ?

I would expect this to be the behaviour. You have chosen custom. Blocs isn’t managing the form code for you.

I suspect you might need to add the captcha to the form too without the Bric. Custom forms I’ve implemented I’ve built without the form bric so not 100% sure on that.

I guess that’s not enough. That would require the Blocs form to post the data via Ajax to the custom endpoint, which, afaik, isn’t the case. Just try, you’ll see.

1 Like

I guess the easiest fix from Blocs side is to allow us make it a required field. So if user forgot to do the CAPTCHA validation, it does not proceed to the webhook.

I implemented it just now and this is the only issue I identified. If the CAPTCHA is invalid, then OK a simple error response is fine since this will not happen unless I messed up