Hi all,

I love the possibilities of the WFB including the ability to use a dropdown contact list to allow a choice of recipients. However there is one thing I'm less happy with: all the email addresses show up in the source code making them available to spambots/email harvesters.

Does anyone have an idea on how to remove the email addresses from the source code? I was thinking about using a simple replacement number for each recipient which would than be matched up with the correct email address in a separate php file.

I'm not an expert on the way forms are handled and can't really find where in the files I would have to add the conversion code, but maybe someone here can point me in the right direction?

I appreciate the help.

Thanks,

Ben

Haven't tried this myself, but it should work. Will take a bit to set up but hey, security is everything sometimes!
http://www.fingerlakesbmw.org/main/flobfuscate.php

Might be other ways to do this. Watch this thread in case someone else jumps in.

Thanks Gunsmoke. It tried but it doesn't work as it doesn't pass validation. I get a "doesn't have a valid value" warning on the contact list field.

It shouldn't be too difficult for the CoffeeCup designers to make the form more secure? Maybe someone else has an idea?

Thanks,

Ben

You'd be surprised. It seems as if something like this should be simple, but it probably isn't.

1. They would have to set up a whole extra section of the software where users associate the input values with the email addresses.

2. They have to write the php code that will match the values to the associated email address into the output files.

3. They also have to write the programming code that puts all the data we entered into the output code.

4. During the whole process, CC would have to try to think of all the ways users might do something wrong and then add programming to compensate for it.

5. The hardest part of this programming, in my opinion, is CC would need to do it in such a way that novice users would not get too frustrated during the learning process. I've had to do programming like that before. It's very hard.

Honestly, it's an arduous process that I'm thankful I don't have to do.

I know you're not the first to ask about the security on email addresses in a contact list drop down setup, maybe go over to the Suggestions thread for the Form Builder and add your voice there so that the CC devs are aware of one more person that is concerned about this issue and let them know that it's truly wanted. That's the only way to be sure that it "might" become something they work on. Posting here is great and gets good feedback, but doesn't always make it to the Dev's screens. Good luck on it as I too am behind you on this one as well.

Thank you for chiming in, Jo Ann. It's a shame to see such a great tool have such a security flaw (if I'm allowed to say that ).

I did mention this security issue directly to CC customer service in 2012 and it was mentioned then that it would be put on the todo list. Apparently it didn't make it on the list or it's way down at the bottom of the list as after almost 3 years it still hasn't been resolved. A tad slow for a security issue, if I may say so. Funny thing is that I started receiving several advertising emails about purchasing WFB after I posted this here. Especially since I had done so already.

Anyway, I was able to figure out how the contact list feature works and find a work around to making it safer by hiding all the real email addresses and putting a blackhole email address in the source code.

All in all it isn't too complicated as soon as you know where to look. Actually quite an easy fix that, with a little adaptation, could all be done in the background without having to change the WFB interface or user experience.

Rgds,

Ben

Hey Ben, how about posting that fix in case it'll help other users? Thanks!

Just an FYI to all, this issue has been fixed for version 2.5 and we expect to release that in the next few weeks. And before you ask, no comments on what else will be included.

WOW! Should have had a V8!!