15 May
2014
15 May
'14
7:26 p.m.
On Wed, May 14, 2014 at 10:43 PM, Valdis Vītoliņš
<valdis.vitolins(a)odo.lv> wrote:
Another idea which couldn't bother normal users
for anonymous XWiki
comments would be separation between GET/POST submits, because spammers
mostly use GET instead of POST.
The add comment form uses POST so why do you say the spammers use GET?
Note that even if you 'forge' a GET request you still need to add the
CSRF token which you need to get from the HTML form. As for the
CommentAddAction that Thomas linked, it works indeed with both POST
and GET. Limiting the actions that modify the database to POST is
indeed a good thing.
Thanks,
Marius
I couldn't find how added comment request is handled on server side
though. I suspect, it is not handled with velocity scripts.
Can you provide some directions?
Thanks!
Valdis
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs