[drupal-devel] [bug] comment preview "Required" is easily bypassed
killesreiter at physik.uni-freiburg.de
Mon Aug 8 04:50:17 UTC 2005
On Sun, 7 Aug 2005, Jeremy Andrews wrote:
> my filter. I finally realized what the spammer is doing is
> setting $_POST['op'] to 'Post comment', effectively bypassing
> the preview phase.
> I have the feeling I'm missing a simpler, cleaner solution.
I think that the form code rewrite that I've proposed and that Adrian
is/was working on should take care of this. It would check whether a
field "op" could have been present in the original form.
The problem that we in this case have a dynamic form. I think that
checking of a session variable would help. This would break
posting for clients which do not accept our cookie. Which maybe would be
quite welcome in this case. ;^)
Since you probably do not wait for Drupal 4.7 you should thus try to put
the unique preview ID into the session.
More information about the drupal-devel