I have a form that I decided to include Google recaptcha as an added measure of security.
When I added the recaptcha it triggers an error because the recaptcha is not whitelisted.
I read that HTML5 does not allow assigning the name attribute to div. i.e. <div name="myName"></div>.
Against convention, I tried adding a name attribute to the recaptcha div and adding that name to the whitelist. That approach failed.
There is an iframe within the recaptcha div that has the name attribute. I tried using the iframe name in the whitelist. That approach also failed.
There is a hidden input that has an id="recaptcha-token". I added 'recaptcha-token' to the whitelist. This approach also failed.
The hidden input is generated by the recaptcha api, so I don't think I have a means of assigning a name attribute to this input.
Does anyone have a workaround or suggestion ?
Note: form validation and whitelist all worked as expected prior to adding recaptcha.
Recaptcha works as expected if I eliminate the whitelisting of the form inputs.
This is the div within the form.
<div class="row">
<div class="col-md-12">
<div class="g-recaptcha" data-sitekey="<?php print $public_key;?>"></div>
</div>
</div>
There is a hidden input within the form that contains a token. This input & token are completely separate of the Google Recaptcha. However this token must be verified before the form inputs are compared to the $whitelist.
Here are the code blocks:
function verifyFormToken($form) {
if(!isset($_SESSION[$form.'_token'])) {
$errors[]= "Session not set and no token";
return false;
}else{
//echo 'Session token is set.'.'</br>';
}
if(!isset($_POST['token'])) {
$errors[]= 'No form token was sent!'.'</br>';
return false;
}
if ($_SESSION[$form.'_token'] !== $_POST['token']) {
$errors[]= 'tokens don\'t match!'.'</br>';
return false;
die();
}else{
//echo 'Tokens match. Good to go.'.'</br>';
return true;
}
}
// VERIFY LEGITIMACY OF TOKEN
if (verifyFormToken('form1')) {
// Build a whitelist of form inputs
$whitelist = array('token','req-fName','req-lName','req-email','req-phone','req-address','req-city','req- state','req-zip','req-message','req_method','req-dateDepart','req-dateReturn','recaptcha-token','submit');
foreach ($_POST as $key=>$item) {
if (!in_array($key, $whitelist)) {
writeLog('Unknown form fields');
die('Hack-Attempt detected. Only the fields originally included in the form are allowed!');
}
}
}