Skip to Content
Last modified by Agnease on 2026/06/16 17:18
From version 16.56
edited by Agnease
on 2026/06/16 17:09
Change comment: There is no comment for this version
To version 16.57
edited by Agnease
on 2026/06/16 17:18
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -3,56 +3,113 @@
3 3   #set ($statusCode = 400)
4 4   #set ($message = 'The request could not be sent. Please try again or contact Agnease by email at alex@agnease.com.')
5 5  
6 + #set ($className = 'Agnease.Code.ContactRequest.ContactRequestClass')
7 + #set ($allowedProperties = [
8 + 'scope',
9 + 'alreadyUseXWiki',
10 + 'name',
11 + 'email',
12 + 'hosting',
13 + 'customDevelopment',
14 + 'timeline',
15 + 'users'
16 + ])
17 +
6 6   #set ($name = '')
7 7   #set ($email = '')
8 8   #set ($scope = '')
9 - ## Fields to help preventing bots filled forms.
10 10   #set ($contactWebsite = '')
11 11   #set ($startedAtRaw = '')
12 12  
24 + ## Extract only the values we need for validation.
13 13   #foreach ($parameterName in $request.parameterNames)
14 14   #set ($propertyParts = $parameterName.split('_0_'))
15 15   #if ($propertyParts.size() > 1)
16 - #set ($propertyName = $parameterName.split('_0_')[1])
28 + #set ($propertyName = $propertyParts[1])
29 + #set ($propertyValue = $stringtool.trim($request.get($parameterName)))
30 +
17 17   #if ($propertyName == 'name')
18 - #set ($name = $stringtool.trim($request.get($parameterName)))
32 + #set ($name = $propertyValue)
19 19   #elseif ($propertyName == 'email')
20 - #set ($email = $stringtool.trim($request.get($parameterName)))
34 + #set ($email = $propertyValue)
21 21   #elseif ($propertyName == 'scope')
22 - #set ($scope = $stringtool.trim($request.get($parameterName)))
36 + #set ($scope = $propertyValue)
23 23   #elseif ($propertyName == 'contactWebsite')
24 - #set ($contactWebsite = $stringtool.trim($request.get($parameterName)))
38 + #set ($contactWebsite = $propertyValue)
25 25   #elseif ($propertyName == 'contactStartedAt')
26 - #set ($startedAtRaw = $stringtool.trim($request.get($parameterName)))
40 + #set ($startedAtRaw = $propertyValue)
27 27   #end
28 28   #end
29 29   #end
30 30  
31 - #if ("$!startedAtRaw" != '')
45 + #set ($spamScore = 0)
46 +
47 + ## Honeypot: real users should never fill this field.
48 + #if ("$!contactWebsite" != '')
49 + #set ($spamScore = $spamScore + 5)
50 + #end
51 +
52 + ## Submission timing check.
53 + #if ("$!startedAtRaw" == '')
54 + ## The field is expected from the real form, so missing it is suspicious.
55 + #set ($spamScore = $spamScore + 2)
56 + #else
32 32   #set ($startedAt = $numbertool.toNumber($startedAtRaw))
33 - #set ($now = $datetool.systemDate.time)
34 - #set ($elapsed = $now - $startedAt)
58 + #if ("$!startedAt" == '')
59 + #set ($spamScore = $spamScore + 2)
60 + #else
61 + #set ($now = $datetool.systemDate.time)
62 + #set ($elapsed = $now - $startedAt)
35 35  
36 - ## Reject submissions faster than 10 seconds.
37 - #if ($elapsed > 0 && $elapsed < 10000)
38 - #set ($statusCode = 400)
39 - #set ($message = 'Please take a moment to describe your XWiki request before submitting.')
64 + ## Reject very fast submissions.
65 + #if ($elapsed > 0 && $elapsed < 10000)
66 + #set ($spamScore = $spamScore + 3)
67 + #end
40 40   #end
41 - #elseif ("$!contactWebsite.trim()" != '')
42 - #set ($statusCode = 400)
43 - #set ($message = 'The request could not be sent. Please try again or contact Agnease by email.')
44 - #elseif ("$!name" == '' && "$!email" == '')
45 - #set ($statusCode = 400)
69 + #end
70 +
71 + ## Random-looking name: long single token.
72 + #if ($name.length() >= 16 && !$name.contains(' '))
73 + #set ($spamScore = $spamScore + 2)
74 + #end
75 +
76 + ## Random-looking project description: long single token.
77 + #if ($scope.length() >= 12 && !$scope.contains(' '))
78 + #set ($spamScore = $spamScore + 2)
79 + #end
80 +
81 + ## Suspicious email local part with many dots and tiny fragments.
82 + #set ($emailParts = $email.split('@'))
83 + #if ($emailParts.size() == 2)
84 + #set ($localPart = $emailParts[0])
85 + #set ($localFragments = $localPart.split('\.'))
86 + #set ($dotCount = $localFragments.size() - 1)
87 + #set ($oneCharFragments = 0)
88 +
89 + #foreach ($fragment in $localFragments)
90 + #if ($fragment.length() == 1)
91 + #set ($oneCharFragments = $oneCharFragments + 1)
92 + #end
93 + #end
94 +
95 + #if ($dotCount >= 4 && $oneCharFragments >= 3)
96 + #set ($spamScore = $spamScore + 2)
97 + #end
98 + #else
99 + #set ($spamScore = $spamScore + 2)
100 + #end
101 +
102 + ## Human-facing validation.
103 + #if ("$!name" == '' && "$!email" == '')
46 46   #set ($message = 'Please enter your name and email.')
47 47   #elseif ("$!name" == '')
48 - #set ($statusCode = 400)
49 49   #set ($message = 'Please enter your name.')
50 50   #elseif ("$!email" == '')
51 - #set ($statusCode = 400)
52 52   #set ($message = 'Please enter your email address.')
53 53   #elseif ("$!scope" == '' || $scope.length() < 30)
54 - #set ($statusCode = 400)
55 55   #set ($message = 'Please add a short description of your XWiki project, question or issue.')
111 + #elseif ($spamScore >= 3)
112 + #set ($message = 'The request could not be sent. Please add a clearer description of your XWiki request or contact Agnease by email.')
56 56   #else
57 57   #try('contactException')
58 58   #set ($now = $datetool.get('yyyyMMddHHmm'))
... ... @@ -59,12 +59,17 @@
59 59   #set ($random = $mathtool.random(100000, 999999))
60 60   #set ($uniqueName = "ContactRequest-${now}-${random}")
61 61   #set ($contactRequestDoc = $xwiki.getDocumentAsAuthor('ContactRequests.' + $uniqueName))
62 - #set ($contactRequestObj = $contactRequestDoc.getObject('Agnease.Code.ContactRequest.ContactRequestClass', true))
119 + #set ($contactRequestObj = $contactRequestDoc.getObject($className, true))
63 63  
121 + ## Save only known ContactRequest fields.
64 64   #foreach ($parameterName in $request.parameterNames)
65 - #set ($propertyName = $parameterName.split('_0_')[1])
66 - #if ($propertyName != 'contactWebsite' && $propertyName != 'contactStartedAt')
67 - #set ($discard = $contactRequestObj.set($propertyName, $request.get($parameterName)))
123 + #set ($propertyParts = $parameterName.split('_0_'))
124 + #if ($propertyParts.size() > 1)
125 + #set ($propertyName = $propertyParts[1])
126 +
127 + #if ($allowedProperties.contains($propertyName))
128 + #set ($discard = $contactRequestObj.set($propertyName, $request.get($parameterName)))
129 + #end
68 68   #end
69 69   #end
70 70