Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#205 2006-02-08 18:40:47
Re: Plug-in: zem_contact_reborn
See how we think about you all. ;) Actually that bit is too complicated for me but your button, on the other hand, isn’t. I’ll have a look. So what we could end up with then is an attribute – button=“yes” – default is “no” – and if set to “yes” you get a button instead of an input. That sound about right?
I don’t think this will affect anything else will it tranquillo?
And I always keep a beady eye on ids and classes so rest assured that any added fields will conform.
Whilst we are on the subject in general I’ve noticed that the “for” attribute that is output in “labels” causes a problem, but only for the “select label”, when the DTD is set to “XHTML 1.0 Strict” and probably “XHTML 1.1” as well, though I haven’t tried that. I have the impression that, in plain English rather than jargon, the label doesn’t know what it is a label for. Anyway I was wondering exactly what purpose the “for” attribute served. Would it cause some problem if it were removed from the “select label” output permanently?
Stuart
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
#206 2006-02-08 19:51:14
Re: Plug-in: zem_contact_reborn
The button thing sounds great.
With regards to the label: “for” is used to associate the “label” with the form control. The “for” should match the “id” of the form control.
Where the problem is in the current plugin is that there is no “id” being put onto the “select” tag. If the “select” had an “id” that matched its “label’s” “for” value then you wouldn’t see any problems. This is valid for all versions of xhtml (strict and 1.1).
Please do not remove it. That would be introducing accessibility errors, as it is now it needs to be fixed by adding the “id” to the “select” tag.
Refresh Dallas and other Refreshing Cities.
Offline
#207 2006-02-08 20:15:26
Re: Plug-in: zem_contact_reborn
Ah. There you go then. A case of working from the other direction. So that’s on the list of things to do.
As for the button. I’ve just added the code in and got myself a lovely button which even highlights itself when hovered over, but the damn thing doesn’t work! Oh woe is me say I. So I shall have to do some checking. Just for your information I did create a button element as opposed to an “input type=button” which would require some added javascript mumbo-jumbo to do the “submit” bit. No luck with it though. The attribute worked so button=“yes” gave you a button instead of an input. It’s the button itself which appears to have the problem.
So you will have to live with the input for a while longer tinyfly and be thankful I like ids and classes. ;)
I shall learn all this stuff one day. Watch this space. :)
Last edited by thebombsite (2006-02-08 20:18:59)
Stuart
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
#208 2006-02-08 20:21:48
Re: Plug-in: zem_contact_reborn
Make sure “button” has ‘type=“submit” as an attribute and check to see if the hidden zem_contact_nonce input is still being created with the change.
Refresh Dallas and other Refreshing Cities.
Offline
#209 2006-02-08 20:30:18
Re: Plug-in: zem_contact_reborn
Yes , type=“submit” I had in there. In fact the tag was much as it is now except that <submit> is a wraptag so I removed “value=$label” and placed $label between the tags. I shall look at the code around zem_contact_nonce. Thanks for the pointer.
Stuart
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
#210 2006-02-09 00:34:04
- alannie
- Member
- From: Minnesota, USA
- Registered: 2005-09-15
- Posts: 150
Re: Plug-in: zem_contact_reborn
First let me say, what a great plugin! Thanks to all who contributed. Now, I’ve got it almost completely set up except for one thing that’s got me stumped. I can’t seem to get any kind of “thanks” page to show up. When I fill out the form and hit the submit button, an email does get sent, but the form itself just reloads with no confirmation message of any kind. I’ve set up the <code>thanks_form</code> attribute for the <code><txp:zem_contact> </code> tag and triple-checked to make sure it’s pointing to the correct form (and that the form itself exists!).
I’m sure I’m overlooking something obvious, but any ideas??
Offline
#211 2006-02-09 01:51:06
Re: Plug-in: zem_contact_reborn
Hi alannie. It’s not something I normally use but I just tried it over at thebombsite.com and it worked fine. My opening tag was like this:-
<code>
<txp:zem_contact to=“me@mysite.com” thanks_form=“thankyou”></code>
<br />
The “thankyou” form template was just a simple paragraph – <code><p>Thanks for your message. I shall get back to you as soon as I can.</p></code>
Last edited by thebombsite (2006-02-09 01:52:26)
Stuart
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
#212 2006-02-09 09:12:05
- -P-
- Member
- From: Finland
- Registered: 2005-09-10
- Posts: 211
Re: Plug-in: zem_contact_reborn
<blockquote> > thebombsite wrote:
> Bots are getting more clever by the minute. I take it the WP plug-in doesn’t have a similar function then. Maybe it’s time to wake the developer up. ;)
We are currently looking at adding a couple of empty “hidden” fields. When the form is sent it will only be accepted if the fields remain empty. If some really clever bot has filled them in… and combine that with a checkbox as well… maybe it will blow itself up.
</blockquote>
I received those actuals spams today my self, sent via contact_reborn, sender address fake address with my domain, princessdom. And after I had added checkbox. It is set to yes there. I´d say this is serious vulnerability and something needs to be done quickly, please.
Last edited by -P- (2006-02-09 09:12:46)
Offline
#213 2006-02-09 09:37:55
Re: Plug-in: zem_contact_reborn
Thanks P. It is being worked on. I’m not sure what you meant about the checkbox. Are you saying that who or whatever is sending these has checked it?
Stuart
In a Time of Universal Deceit
Telling the Truth is Revolutionary.
Offline
#214 2006-02-09 09:50:17
- -P-
- Member
- From: Finland
- Registered: 2005-09-10
- Posts: 211
Re: Plug-in: zem_contact_reborn
Yes, the checkbox has been checked. I guess the who or whatever can/knows how to fill required fields, be it subject field or checkboxes.
Could the solution be flood control, for example only one email in 10 minutes and captcha?
Anyway, this deeply sucks. Not very nice thing to eplain all the people that have contact form on their site…that because of it they suddenly start receiving these new spams. And what is worse, somebody uses their domain in spam email addresses. I just hate internet sometimes.
Last edited by -P- (2006-02-09 10:39:11)
Offline
#215 2006-02-09 16:07:46
- alannie
- Member
- From: Minnesota, USA
- Registered: 2005-09-15
- Posts: 150
Re: Plug-in: zem_contact_reborn
> thebombsite wrote:
> <code> <txp:zem_contact to=“me@mysite.com” thanks_form=“thankyou”></code>
> The “thankyou” form template was just a simple paragraph – <code><p>Thanks for your message. I shall get back to you as soon as I can.</p></code>
Thanks for your reply. I have it set up the same way and even tested the thanks form with an <code>txp:output_form</code> tag. I think there may be something wrong with my overall setup, because any error messages get repeated four times. Probably because I have <code>txp:article</code> appearing four times throughout the page. Could that be related to this issue? Is it bad to have more than one instance of that tag? (I use it to output various parts of the article such as title, custom fields, etc. in different places on the page).
Any other ideas for troubleshooting?
Offline
#216 2006-02-09 16:52:40
- neptho
- Member
- From: A cold, dark place.
- Registered: 2006-02-01
- Posts: 48
Re: Plug-in: zem_contact_reborn
Just parsed the thread. Was going to note that my site has always been a bit of a target – but two days after integrating zem_contact_reborn, spammers have been using it to use mime types to circument security.
Here’s a quick little patch I made (note that I’ve only slightly tested it right now – I haven’t had the time to audit the whole plugin):
<pre>
foreach ($zem_contact_form as $k => $v)
{
// ssh_mime_patch_for_zem_contact_reborn
if (strpos($v, ‘multipart/mixed’) != FALSE)
die(“No, I do not think so.”);
$msg[] = $k.’: ‘.htmlspecialchars($v);
}
</pre>
This tests for MIME injection. It should probably be a better, global scope, but, as I said, this is just a quick ‘one off’ patch.
Edit: Ugh. I’m tired of editing this to make my code not get chewed up. I’m beginning to detest this forum. I want my BBCode and [code] tags.
—
alannie: There’s something wrong with your form, or your template logic. Make sure you make this template as a “Sticky.”, Mine is just an unlinked static page My thanks template – here’s the section logic:
Section name: thanks
Sectino title: thanks
Uses page: static_page
Uses Style: default
…
And, my static_page template logic:
…
< txp:article limit=1 form=“static_article” status=“sticky” />
…
Last edited by neptho (2006-02-10 08:10:58)
Offline