A guestbook plugin providing several mechanisms for spam prevention
- typo3/cms-core: ^9.5 || ^10.4
- typo3-ter/mmc_guestbook: 2.0.4
What does it do?
This is a guestbook built on TYPO3 extbase. It uses several mechanisms for spam prevention:
- Honeypot fields
- Minimal form submission time (spambot prevention)
- Unique hash for every form post (prevent post replay by spam bots and makes faking the timestamp impossible)
- Form html scramble (can be disabled in TS constants)
- Security question: user has to solve a simple random addition (can be disabled in TS constants)
- New entries can be stored hidden to allow redactional review by email before publishing (can be enabled in TS constants)
- Email-review of new entries (can be enabled in TS constants). Links in the mail allow to decide if the post is spam or not.
- Block IP’s of entries marked as spam (can be disabled in TS constants)
- If the field “url” is used, links in the guestbook list view are generated with the attribute “rel” set to “nofollow”. This makes spamming uselesss, as search engines will not follow the link.
Available fields for a guestbook entry record are:
- first name
- place (city)
- url (visitor’s website)
- comment (for editor’s comment)
Also each guestbook entry uses these fields for spam prevention:
- is spam: checked if the entry is spam
- remote ip: stores the ip of the poster
- post hash: unique hash for every form post, will be stored to detect POST-replay
By default IPs of entries marked as spam will be blocked for further posts.
Include the static template of the extension in your site template
blockSpamIps Posts from IPs of guestbook-entries marked as spam will be ignored.
useMathTest Show a simple randomly generated addition in the form that the user has to solve to prove it's a human!
reviewNewEntries For every new entry, an email will be sent to the redactor that can decide if the post is spam or not. Two links in the mail allow to commit the decision. You have to provide an email-address to make this work (‘reviewEmailAddress’).
hideNewEntries New entries will be stored hidden, this option makes most sense in combination with the 'reviewNewEntries' option.
pageSize Number of guestbook entries to show on one page.
reviewEmailAddress Email address to send new entry review mails to.
reviewEmailSenderAddress Email sender address for review mails.
reviewEmailSenderName Email sender name for review mails.
reviewEmailSubject Review mail subject.
minFormSubmissionTime Minimal time in milliseconds that has to pass between the generation of the form to the submission. A human usually can’t fill in and submit a form in 2 seconds providing a meaningful message.. a spambot can.
secret This string will be used to generate hashes for the form and the review-links. You should change this to any random string to make it unique for your guestbook.
Storage for guestbook entries
Set up the system folder to store the guestbook entries:
- TS-constant “Default storage PID” [plugin.tx_mmcguestbook.persistence.storagePid] or
- In the plugin (Behaviour > Record Storage Page).
- Fix version inconsitency
- Move JS to footer
- Rename files .ts to .typoscript
Bugfix: $isSpam default value in Model
Bugfixes (thanks to Loek Hilgersom):
- EntryController->getStandaloneView overrides original controller-context in TYPO3 10
- TypoScript condition in old style
Changed major version to 2 (dropped TYPO3 8 support)
Upgraded jquery core to 3.5.1
include js via typoscript-setup, use includeJSLibs for jQuery inclusion
bugfix: missing option to include jQuery
Fix in ext_emconf.php
Remove autogenerated comments in ext_emconf.php
Fix Viewhelper ifHasErrors
Fixed sendReviewMail bug
TYPO3 9.5 / 10.4 compatibility
rename constants.txt / setup.txt to *.ts
bugfix in constants.ts
Composer ready TYPO3 version constraint ^8.7
Bugfix (default value DomainModelEntry isSpam)
TYPO3 8 compatibility
Small bugfix; thanks to Ralf Klett
Multiple view-paths in typoscript-setup for TYPO3 7
TYPO3 7.6.xx compatibility
Changed state from 'beta' to 'stable'
Bugfix: hidden entries have not been found by approve/mark as spam
Bufix (Form was cached)
Added several spam protection features
- Block form POST replay (spambot-blocker)
- Minimal form submission time (spambot-blocker)
- Form HTML scramble (spambot-blocker)
- Security question (simple random addition to solve)
- Entries are markable as spam -> block further posts from this IP
- Redactional review of every new entry (by email)
Hash of [timestamp+random+secret] is submitted with the form. The hash will be checked server-side, if valid it will be stored with the new entry to prevent POST-replay. The timestamp (to check form submission time) can’t be faked this way, too.
The security question is a simple addition, randomly generated. The result is hashed with secret and submited with the form and then compared serverside. There is also a client-side validation by js.
New entries can be either published right away, or first be stored hidden. An email for redactional review can be sent, the reviewer can decide if the post is spam or not, just by clicking one or the other link. These links are also protected by a hash. If the new entry was stored hidden, it will be published now if the decision is “not spam”. If the entry is marked as spam, further posts from it’s origin IP will be blocked (can be disabled in TS constants).
Server side form validation
Validation works completly server side if you disable client side validation. To remove client side validation, just remove the “onsubmit” attribute of the form.