On Fri, Mar 11, 2011 at 7:13 PM, Remigiusz Modrzejewski
<l...@maxnet.org.pl>wrote:
> Bah, doesn't matter. In fact solving the ascii-art captcha is just
> negligibly harder than ripping the value out of the js snippet (both a lot
> easier than actually doing js). Anyhow the only viable solution would be to
> include an actual captcha (a thing that I've been thinking of for a long
> time).
>
A few years ago i added a text-based captcha to my blog, and since then not
one bot has posted there. It simply relies on muddling up the captcha text
with "invisible" HTML. e.g. if the text is CAPTCHA it might be muddled like:
<span>C</span> <span>A</span> ...
Fossil's approach is, IMO, stronger, but the captcha text is, as you
mention, encoded in the embedded JS as well:
<input type="button" value="Fill out captcha"
onclick="document.getElementById('u').value='anonymous';
document.getElementById('p').value='c098fdac';" />
Obviously, it's easy to hack around if you know what you're looking for but
so far nobody has bothered (much to my joy and surprise). One commenter on
my blog once threatened to crack it, but no spam ever arrived.
That said, i don't think the captcha was the problem here (it was only a
matter of time before bots became script-kiddies), but that my reader user
had write access (which i _believe_ was the default, as i don't remember
ever tinkering with that user).
--
----- stephan beal
http://wanderinghorse.net/home/stephan/
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
