ChangeLog¶

Added several spam protection features¶

• Block form POST replay (spambot-blocker)
• Minimal form submission time (spambot-blocker)
• Form HTML scramble (spambot-blocker)
• Security question (simple random addition to solve)
• Entries are markable as spam -> block further posts from this IP
• Redactional review of every new entry (by email)

Hash of [timestamp+random+secret] is submitted with the form. The hash will be checked server-side, if valid it will be stored with the new entry to prevent POST-replay. The timestamp (to check form submission time) can’t be faked this way, too.

The security question is a simple addition, randomly generated. The result is hashed with secret and submited with the form and then compared serverside. There is also a client-side validation by js.

New entries can be either published right away, or first be stored hidden. An email for redactional review can be sent, the reviewer can decide if the post is spam or not, just by clicking one or the other link. These links are also protected by a hash. If the new entry was stored hidden, it will be published now if the decision is “not spam”. If the entry is marked as spam, further posts from it’s origin IP will be blocked (can be disabled in TS constants).

Server side form validation¶

Validation works completly server side if you disable client side validation. To remove client side validation, just remove the “onsubmit” attribute of the form.