#954 updates recaptcha

Added 1 commit:

• a11d9abf - #954 modifies html webform generated code to use new recaptcha version

mentioned in issue #954

@ruben.estrada - can you please use Vtiger_Net_Client instead?

@ruben.estrada Below may be helpful, @prasad it requires openssl PHP extension, correct?

protected function sendHttpClientRequest($url, $params, $method = 'GET', $headers = []) { require_once 'vtlib/Vtiger/Net/Client.php'; $httpClient = new Vtiger_Net_Client($url); if (count($headers)) { $httpClient->setHeaders($headers); } switch ($method) { case 'POST': $response = $httpClient->doPost($params); break; case 'GET': $response = $httpClient->doGet($params); break; } return $response; }

Yes openssl php extension is required as connect is to https

@prasad ok, so replacing the postCaptcha with somehting like Sutharsan's example would do it?

@sutharsan thanks!

call back function is missing?

@ruben.estrada with this setup I am getting "reCAPTCHA placeholder element must be empty"

Status changed to merged

mentioned in commit de70289c

You are right, thanks Nilay, there should be no callback function. That needs to be removed.

@nilay.automatesmb it appears that, when generating the code and displaying it, some contents are appended inside the <div class="g-recaptcha".../> element:

If you take a look you'll see that the code highlighted in blue is not present in ShowForm.tpl. I think it is being dynamically added by JS. I suppose that if you remove that part of the code, your form will work fine.

However, I'm not sure how to avoid that code being added when it is displayed in vtiger. I think it needs to be generated but only once the browser renders the form in your web page.

@prasad you have any idea?

@ruben.estrada captcha code is automatically generated and should not be removed. @nilay.automatesmb what is the errors you are getting?

@sutharsan yes, the code is automatically generated. But it should be generated once it is in your web page and not when being displayed in vtiger. The code you put in your web page should not have the highlighted code. That code needs to be generated dynamically once the contact form is rendered by your browser.

At least that is my understanding.

so this is again a security issue I feel. The code is injected due the inclusion of recaptcha js. When we click on the show form, the html which is inserted leads to the execution of included script tags!

A small test: add console.log('js executed'); in the ShowForm.tpl and then click on the show form action in CRM, you would see the message being logged.

						<script src="https://www.google.com/recaptcha/api.js" async defer></script>
						<div class="g-recaptcha" data-sitekey="{$CAPTCHA_CONFIG['VTIGER_RECAPTCHA_PUBLIC_KEY']}" data-callback="enableSubmitBtn"></div>
						<script type="text/javascript">     
								console.log('js executed');
						 </script>

callback function needs to be there .

Ideally the submit button should be disabled, and upon recaptcha, it shoudl get enabled.

Something similar to:

{if $IS_CAPTCHA_ENABLED}
						<script src="https://www.google.com/recaptcha/api.js" async defer></script>
						<div class="g-recaptcha" data-sitekey="{$CAPTCHA_CONFIG['VTIGER_RECAPTCHA_PUBLIC_KEY']}" data-callback="enableSubmitBtn"></div>
						<script type="text/javascript">
								function enableSubmitBtn() {
									document.getElementById('submit').disabled=false;
								};       
						 </script>
						 <input disabled="disabled" type="submit" value="Submit" id="submit"></input>
					{else}
						<input type="submit" value="Submit" id="submit"></input>
					{/if}

But we should also include check about timeouts and before enabling the submit button. So the enablesubmitbutton needs some finetuning.

@nilay.automatesmb - please submit a revised MR if you have found the way.

@prasad haven't found yet, working on it. Will update asap.

@ruben.estrada - please review this commit - special case handled for script tag inclusion.