Skip to content

Spam protection using a honeypot field for the Neos form builder

License

Notifications You must be signed in to change notification settings

daniellienert/honeypotformfield

Repository files navigation

Honeypot Field for Neos.Form and Neos.Form.Builder

Latest Stable Version Total Downloads License

This package adds an HoneypotField element, which can be used within your forms. This element is rendered hidden and should never be filled out by a real form user.

A spam detection finisher checks if the form contains such honeypot fields. If any of that fields are filled out, additional field values are introduced which can be used in the following finishers to handle spam.

Installation

composer require dl/honeypotformfield

Usage

Using the flow form configuration

type: 'Neos.Form:Form'
identifier: 'my-form'
renderables:
  items:
    type: 'Neos.Form:Page'
    identifier: 'my-page'
    renderables:
      name:
        type: 'Neos.Form:SingleLineText'
        identifier: 'name'
      honeyPot:
        type: 'DL.HoneypotFormField:HoneypotField'
        identifier: 'full_name'

finishers:
  spamDetection:
    identifier: 'DL.HoneypotFormField:SpamDetectionFinisher'

Using the Neos Form Builder

Requires the suggested package neos/form-builder.

  1. Add honeypot form fields (at least one - as many as you like)
  2. Add the Spam detection finisher before the finishers, that should use the spam markers.

Usage of honeypot field and detection finisher

The finisher adds the following new formFields to the formState:

FieldName Value Usage
spamDetected bool true / false when the submitted form is detected as spam {formState.formValues.spamDetected}
spamMarker Contains [SPAM] if detected. Can be used in eMails {formState.formValues.spamMarker}
spamFilledOutHoneypotFields Contains the filled honeypot fields {formState.formValues.spamFilledOutHoneypotFields}

Mark sent mails as spam

These fields can then be used for example to mark mails as spam:

Use the spam marker in email header

Settings

Cancel mail sending on spam detection

When the cancelSubsequentFinishersOnSpamDetection setting is set to true, subsequent finishers are not executed when the form was detected as spam.

Use the spam marker in email header

Here the confirmation message is shown but mail sending is cancelled.

Configuration:

DL:
  HoneypotFormField:
    cancelSubsequentFinishersOnSpamDetection: true

Log form content when detected as spam

In order to debug the spam detection and to see what kind of spam is coming in, you can enable the logging of the complete form content with setting logSpamFormData to true.

Configuration:

DL:
  HoneypotFormField:
    logSpamFormData: true