Spam prevention interfere with Avada Forms

  • Resolved we-are-ferris

    (@weareferris)


    1 year ago

    Hello,

    since the 5.2.5 update, it seems that enabling Detect spambots that post comments affects Avada forms (AIOS option can be found here: admin.php?page=aiowpsec_spam&tab=comment-spam).

    Avada forms is an element of the Avada Builder with which you can create any form (e.g. a contact form). Just like with CF7 or Gravity forms.

    I think the setting should only work for comments or am I missing something? So let me go into detail.

    When a page contains a form, AIOS adds some Javascript to that page. This piece of code creates some hidden fields with randomly created input field names and values. When the form is submitted, these hidden fields are then sent along so that the recipient can see them.

    The corresponding code can be found here:
    all-in-one-wp-security-and-firewall/classes/wp-security-comment.php

    Here is the method (see around line 142):

    public static function insert_antibot_keys_in_comment_form() {

    $key_map_arr = self::generate_antibot_keys();

    if (empty($key_map_arr)) {
        return;
    }

    ?>
    <script>
        document.addEventListener('DOMContentLoaded', function (event) {
            for (let i = 0; i < document.forms.length; ++i) {
                let form = document.forms[i];
                <?php
                    foreach ($key_map_arr[0] as $key) {
                        echo 'if (form.method != "get") {  var input' . esc_attr($key[0]) . ' = document.createElement("input"); input' . esc_attr($key[0]) . '.setAttribute("type", "hidden"); input' . esc_attr($key[0]) . '.setAttribute("name", "' . esc_attr($key[0]) . '");  input' . esc_attr($key[0]) . '.setAttribute("value", "' . esc_attr($key[1]) . '"); form.appendChild(input' . esc_attr($key[0]) . '); }' . "\n";
                    }
                ?>
            }
        });
    </script>
    <?php
}

    Deactivating the spam protection option mentioned at the beginning solved the problem, but then you no longer have spam protection.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @weareferris

    Ok, I will create an internal ticket for this, If possible can you please share the page url using https://pastebin.com/ burn after read option.

    Generally on post detail page those fields are added to the all forms and for comment post back it gets checked with stored values.

    For Avada form it should be posting back those fields. It seems to be added to the comment form only somehow if possible..

    Thread Starter we-are-ferris

    (@weareferris)

    Thank you for your fast reply. There’s one more thing to mention.

    In Avada Forms so-called notifications are used to forward a form to an email address. In the notifications you have the possibility to send all fields or only certain fields. To send all fields you have to enter the following shortcode in the notification: [all_fields]

    And I think here is the problem. I don’t know exactly how Avada handles it, but I imagine they grab all the relevant input fields of a form (maybe by type), exclude buttons, their own honeypot fields, etc. and then submit the form.

    For smaller forms the Avada/Aios problem can be avoided by not using this shortcode and only using the shortcodes of the fields that should really be sent, e.g. [name] [email] [subject] [message] instead of [all_fields].

    I hope I have explained it halfway understandable =)

    Here’s the pastebin:
    https://pastebin.com/N2u453pJ

    What it looks like in the email you get after someone submits the form:
    https://imgur.com/a/YzxEN73

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @weareferris

    Thanks for the more information.

    All fields being posted back considered that is why it showing.

    But we are working on a fix so for this form those inputs are not added.

    Regards

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi?@weareferris

    We have worked on the issue of Spam prevention interfering with other forms and posting back the input hidden fields.
    If on post back the email is supposed to add all post back fields those extra key values also got added.

    Can you please upload the zip as Add a new plugin and replace it with the existing AIOS plugin and confirm the issue is solved?

    https://gofile.io/d/1XaScH

    This fix is going to be in the next release.

    Regards

    Thread Starter we-are-ferris

    (@weareferris)

    Hi @hjogiupdraftplus,

    I can confirm that this fix has solved the issue.
    Well done. Many thanks for your efforts.

    Regards

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Spam prevention interfere with Avada Forms’ is closed to new replies.