JavaScript Captcha

Comment spam recently started annoying me, again. Even though it only takes a few clicks to kill, some crappy robot is still taking up my time. Archreality has a nice little JavaScript based Captcha which has the potential to be completely useless as you can see if you click here.

However, I think I've managed to plug it into PyBlosxom and have it be useful. The trick was to make the form submission write a hidden field value in the form with a password after passing the Captcha test.

So, you set up your form like this

<form action="$base_url/$file_path.html" method="post"
name="comments_form" id="comments_form"
onsubmit="try {
           var myValidator = validate_comments_form;
          } catch(e) { return true; }
         return myValidator(this);
         "
>
 ... blah ...
 <input type="hidden" name="secret" value="" />
 ... blah ...
</form>

Then in validate_comments_form do something like

function validate_comments_form(frm) {

  captcha = jcap();
  if ( captcha  ) {
        frm.elements['secret'].value = "you_may_pass";
  }
  return captcha;
}

Then, finally modify comments.py from PyBlosxom to check for this value in cb_prepare.

def cb_prepare(args):
    ... somewhere near the top ...
    #captcha
    if (not form.has_key('secret')):
        return False
    if (form['secret'].value != 'you_may_pass'):
        return False

Now, if the spammer is human they will pass anyway, so we don't have to worry about that. Any bot stupidly submitting the form won't have filled out the secret key, so will get dropped. If the bot somehow interprets the javascript, then it's going to have to have enough logic to somehow parse the code and realise it needs to put in that secret value for anything to happen. If your bot can do that then I'm willing to let your spam remain.

I don't like the fact that these things lock out people without great eyesight. I don't see why a alt tag with "Put the value blah into the next box" wouldn't be sufficient, but currently it writes the image in with javascript so I don't know how that would work with a screen reader. In the todo list...