I'm trying to find out why my clients regularly is getting empty entries on some of their forms.
At first I thought it was because they didn't have any "required" attributes on their input fields (they only had js-validation) so bots must have posted the forms but the problem still persist after I've added required attributes. They also have a recaptcha field who should block bots from spamming even if they were smart enough to bypass html5 validation.
One thing I find weird is that there's a hidden field that's populated via an api call to one of their services (they have a workflow that post the form to their CRM) and that field is also empty. That field should always be populated if you visit the page where the form is (the call is being made in Form.cshtml). I suspect that bots are posting the form without visiting the page in question.
Is there a way to add more security that I haven't thought about?
This is for Umbraco 12.3.6 with Forms 13.01 hosted in Umbraco cloud.
Since you've only talked about frontend validation so far:
Why don't you just add backend validation?
In the backend (the endpoint to which you transfer the data to the forms) you simply check whether all the "required" fields defined in the HTML are actually filled in (hardcoded most likely).
And you could say "if the hidden field is not filled in, do not process the data any further", or you could return an error message or whatever?
Sorry, my message was a little bit unclear I realize. With "Entries" I meant the Umbraco forms entries that you can see in the back office. Those are empty.
Those fields that are empty are those I added required-attribute to in the markup (I turned of javascript to test if the form would post anyway but the default html validation prevented that).
I am currently downloading Umbraco Forms because I have never used it before.
What I was getting at with my answer:
You wrote yourself that you can well imagine "bots" sending the form without even opening the page and filling in the input fields.
That's why it doesn't matter what you have defined in the frontend and whether JS is switched on or off. If I submit the form via Postman, the "required" attribute or other measures in the frontend won't help you either.
So my question is whether Umbraco Forms also performs backend validation for the fields marked as "required". So I mean whether it checks that the data has been entered and not left blank, in the backend where the data is sent to, not in the frontend. I don't know because I've never used Forms, so I'm downloading it right now. But I would say that there is no backend validation on the endpoint that receives the data. Otherwise Forms should not be saving the data.
It looks like there is a backend validation, although I would have been very surprised at the price if there wasn't one.
Just to be on the safe side:
You're talking about adding "required" to the markup. But "Mandatory" is selected for the fields in the form creation, yes?
In any case, I couldn't reproduce it (yet).
The only thing I noticed, and this may sound trivial:
You can enter "Empty" in, for example, a text field
Then the table also shows "Empty". However, if you then select the entry and "Empty" was entered manually, then "Empty" would also appear there. If it is really "Empty", there is nothing there.
Interesting. The forum apparently doesn't like it when you write "< Empty >" (without quotation marks). So everywhere I have "Empty", I actually meant "< Empty >" (without quotation marks).
Exactly, if "Mandatory" is set in backoffice then I add a required-attribute to the form.
Interesting regarding <Empty>, I have to try and see if it's indeed empty (if I submit "") or if it says <Empty>. Bloody bots submitting <Empty> just to mess with developers 😅
Oh, why can you write "< Empty>" and I can't ? :D
For me it always remains empty or the text is cut off. Well, be that as it may.
"Bloody bots submitting < Empty> just to mess with developers 😅"
To be honest, I'd find that very funny :D
But seriously, apart from that, I can't think of anything else right now.
I understood earlier that you set the "required" attribute manually in the frontend and not via the forms. But I'm still familiarising myself with Umbraco and seeing if we can use it at all. And I've never used Forms before (and I probably won't, but we simply don't need it).
Where exactly does it say "Empty"?
In the table you have in the screenshot above?
If so, it always seems to say "Empty" when a field is empty.
But when I (latest versions of Umbraco & Umbraco Forms) open a specific entry from this table (click on "Empty", for example), a new detail page opens. And I don't see "Empty" there, but simply an empty string "".
If you mean the detailed view of the entry and it also says "Empty", then that's strange. As I said, I can find an empty string "" there, not "Empty".
Umbraco forms - Empty entries
Hi
I'm trying to find out why my clients regularly is getting empty entries on some of their forms.
At first I thought it was because they didn't have any "required" attributes on their input fields (they only had js-validation) so bots must have posted the forms but the problem still persist after I've added required attributes. They also have a recaptcha field who should block bots from spamming even if they were smart enough to bypass html5 validation.
One thing I find weird is that there's a hidden field that's populated via an api call to one of their services (they have a workflow that post the form to their CRM) and that field is also empty. That field should always be populated if you visit the page where the form is (the call is being made in Form.cshtml). I suspect that bots are posting the form without visiting the page in question.
Is there a way to add more security that I haven't thought about?
This is for Umbraco 12.3.6 with Forms 13.01 hosted in Umbraco cloud.
Since you've only talked about frontend validation so far: Why don't you just add backend validation?
In the backend (the endpoint to which you transfer the data to the forms) you simply check whether all the "required" fields defined in the HTML are actually filled in (hardcoded most likely).
And you could say "if the hidden field is not filled in, do not process the data any further", or you could return an error message or whatever?
Hi Dominic
Sorry, my message was a little bit unclear I realize. With "Entries" I meant the Umbraco forms entries that you can see in the back office. Those are empty.
Those fields that are empty are those I added required-attribute to in the markup (I turned of javascript to test if the form would post anyway but the default html validation prevented that).
I am currently downloading Umbraco Forms because I have never used it before.
What I was getting at with my answer: You wrote yourself that you can well imagine "bots" sending the form without even opening the page and filling in the input fields. That's why it doesn't matter what you have defined in the frontend and whether JS is switched on or off. If I submit the form via Postman, the "required" attribute or other measures in the frontend won't help you either.
So my question is whether Umbraco Forms also performs backend validation for the fields marked as "required". So I mean whether it checks that the data has been entered and not left blank, in the backend where the data is sent to, not in the frontend. I don't know because I've never used Forms, so I'm downloading it right now. But I would say that there is no backend validation on the endpoint that receives the data. Otherwise Forms should not be saving the data.
I'm looking forward to see what you'll find!
It looks like there is a backend validation, although I would have been very surprised at the price if there wasn't one.
Just to be on the safe side: You're talking about adding "required" to the markup. But "Mandatory" is selected for the fields in the form creation, yes?
In any case, I couldn't reproduce it (yet). The only thing I noticed, and this may sound trivial: You can enter "Empty" in, for example, a text field
Then the table also shows "Empty". However, if you then select the entry and "Empty" was entered manually, then "Empty" would also appear there. If it is really "Empty", there is nothing there.
Interesting. The forum apparently doesn't like it when you write "< Empty >" (without quotation marks). So everywhere I have "Empty", I actually meant "< Empty >" (without quotation marks).
Exactly, if "Mandatory" is set in backoffice then I add a required-attribute to the form.
Interesting regarding <Empty>, I have to try and see if it's indeed empty (if I submit "") or if it says <Empty>. Bloody bots submitting <Empty> just to mess with developers 😅
Oh, why can you write "< Empty>" and I can't ? :D For me it always remains empty or the text is cut off. Well, be that as it may.
"Bloody bots submitting < Empty> just to mess with developers 😅"
To be honest, I'd find that very funny :D
But seriously, apart from that, I can't think of anything else right now. I understood earlier that you set the "required" attribute manually in the frontend and not via the forms. But I'm still familiarising myself with Umbraco and seeing if we can use it at all. And I've never used Forms before (and I probably won't, but we simply don't need it).
Hehe, you ned to write "ampersand lt;" and "ampersand gt;"
No, I set mandatory via Forms, but if the form element was mandatory I added a required field to the form field markup.
Just did a test with empty field in a form and they up having <Empty> as "values" in backoffice, so they are indeed empty.
Hey,
Where exactly does it say "Empty"? In the table you have in the screenshot above? If so, it always seems to say "Empty" when a field is empty. But when I (latest versions of Umbraco & Umbraco Forms) open a specific entry from this table (click on "Empty", for example), a new detail page opens. And I don't see "Empty" there, but simply an empty string "".
If you mean the detailed view of the entry and it also says "Empty", then that's strange. As I said, I can find an empty string "" there, not "Empty".
Exactly, in the table that I took a screen shot from. If I click on a row then all form submission items are empty (as in "") as well.
Did you find anything out whether Umbraco forms had some back-end validation as well?
is working on a reply...