How big of an issue is this any more? Does this change if we require
accept-charset="UTF-8" on all our forms? Just wondering if we need to
carry this into 3.0.
The problem is that badly behaving clients will behave badly
regardless of what accept-charset says. So I'd rather keep it. There
are still plenty of broken clients out there.
2) An input field with a random name. This means that a bot will
need to
actually GET the form first and parse it out before it can send
syntactically correct POSTs. This is a LOT more effort than just
simply
looking at the fields once and crafting your auto-poster to conform.
This feels like a fairly standard anti-CSRF approach, although you
didn't call it that per se.
No, 'cos I thought about it before I heard about CSRF ;-)
That is an interesting approach! It's a "honey pot" field,
essentially. That's a little less amenable to a framework-level fix,
unless we patch the Stripes FormTag class. If not, a simple custom Tag
class would probably be better than the inline scriptlet stuff we are
doing now.
Well, we could have a simple <wiki:SpamFilterFields /> in there
somewhere which could insert all of these.
/Janne
