Contrib.social

homepage field not filled in WebformSubmissionForm::validateFormValues

Open on Drupal.org β†’
Created on 14 June 2023, about 1 year ago
Updated 15 June 2023, about 1 year ago

Problem/Motivation

Honeypot fields are not correctly validated when using the combination of modules webform, honeypot and webform_rest. This has already been reported in webform_rest#3036145 ✨ Support Honeypot Active ).

The Honeypot module adds a hidden field "homepage" that is meant to fail validation when it has been filled by the user.

webform_rest uses WebformSubmissionForm::validateFormValues() to verify everything is fine, but a filled honeypot homepage field does not fail validation - although it should.

Problem cause

When using WebformSubmissionForm::validateFormValues(), the form field values that are used for validation are ultimately filled from $element['#default_value'] in FormBuilder::handleInputElement().

Honeypot elements do not have that #default_value set.

Steps to reproduce

  1. Install webform, webform_rest and honeypot modules
  2. Create webform
  3. Enable honeypot fields in webform
  4. Submit webform via webform_rest while having the honeypot "homepage" field filled
  5. Validation should fail but does not

Proposed resolution

Fetch form submission data from $form_state->getFormObject()->getEntity()->data and use that in HoneypotService::addFormProtection() as #default_value.

πŸ› Bug report
Status

Closed: works as designed

Version

2.1

Component

Code

Created by

πŸ‡©πŸ‡ͺGermany cweiske

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @cweiske
  • Comment about 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany cweiske
  • Status changed to Postponed: needs info about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States TR Cascadia

    The Honeypot module adds a hidden field "homepage"

    The Honeypot module adds a hidden field. The default field name is "url".

    Honeypot elements do not have that #default_value set.

    Correct, the default value is not set and should NOT be set. The only way this hidden field should have a value is if someone entered a value before submission. If it has any value at all, even a default one, it should fail validation.

    Fetch form submission data from $form_state->getFormObject()->getEntity()->data and use that in HoneypotService::addFormProtection() as #default_value.

    This is wrong for two reasons:

    1. The hidden field should not have a default value.
    2. getEntity() works only if you have a form that implements EntityFormInterface. MOST uses of honeypot do not attach the field to an entity form, and in those cases this suggested code will cause an error.

    It's not clear to me what you think the Honeypot module is doing wrong. Honeypot is using the Form API correctly, as far as I can tell. If some other module is assuming something about the Honeypot form element that's not true, that other module will also be making the same wrong assumption about other form elements. The problem is with the assumption, not with the module (Honeypot) where the assumption is wrong.

  • Status changed to Closed: works as designed about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany cweiske

    Re "homepage" field name: I already gave the field a different name here in my setup, and so I looked up the docs β†’ which said "homepage".

    Re default values should not be set: Webform module expects #default_value to contain the value of a submission when it is submitted programmatically, so my patch only set the default value when such a programmatic submission is available.
    I understand your point that you're using the Form API correctly. I'll reopen my webfrom issue #3366746 πŸ› Honeypot fields not filled in WebformSubmissionForm::validateFormValues Active and request that webform should fill #default_value of honeypot fields for programmatic form submissions.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024