Validate form content with API call (Akismet alternatives)

Matt_K · July 5, 2022, 7:24am

Has anyone here successfully used the Akismet API to validate form submissions?

From what I can see, they require datapoints that aren’t typically available for a server-less setup (such as user IP, referrer)

Is there an alternative that I can use purely with what is doable using client-side JavaScript?

I’m using a honeypot field already, but some clever spam still gets through. I don’t want to use reCaptcha.

I’m looking to cut down on form spam, without using a third-party form handler.

Any tips?

Thanks,

Matt

frjo · July 5, 2022, 12:08pm

I use a combination of honeypot field and disabling form submit until key press or mouse/touch event. Works surprisingly well.

The only downside is that the form will not work without JavaScript.

I use this for the contact form in my Hugo Zen theme.

github.com

frjo/hugo-theme-zen/blob/main/assets/js/contact.js

/**
 * @file
 * A JavaScript file for the contact form.
 */

(function ($) {

  'use strict';

  // Contact form.
  $('.contact-form').each(function (e) {
    var $contact_form = $(e);
    var $contact_button = $contact_form.find('.form-submit');
    var contact_action = '/php/contact.php';

    // Display the hidden form.
    $contact_form.removeClass('hidden');

    // Wait for a mouse to move, indicating they are human.
    $('body').on('mousemove', function () {

This file has been truncated. show original

A live version of the form Contact – xdeb.net

Matt_K · July 5, 2022, 3:53pm

thanks for the code, I’ll give that a shot!

tut · July 6, 2022, 10:46am

Is this jQuery?

frjo · July 6, 2022, 12:29pm

Almost, been using https://umbrellajs.com that is more or less a light weight version of jQuery.

frjo · July 6, 2022, 2:12pm

The concept can easily be implemented in vanilla JS.

tut · July 6, 2022, 2:24pm

Your solution actually worked. Switched to Formspree.

Matt_K · July 6, 2022, 5:14pm

I’ve only implemented the submit button locking code (not the form hiding part) from frjo’s suggestion, and that is working great already:

// Unlock the submit button if mouse is moved (desktop)
window.addEventListener('mousemove', function () {    
    document.getElementById("submitBtn").disabled = false;
});

// Unlock the submit button if touchscreen is dragged (mobile)
window.addEventListener('touchmove', function () {    
    document.getElementById("submitBtn").disabled = false;
});

// Unlock the submit button if tab or enter is pressed (keyboard)
window.addEventListener('keydown', function (e) {    
    if ((e.key === "Enter") || (e.key === "Tab")) {
        document.getElementById("submitBtn").disabled = false; 
        // console.log(e.key);
    }
});

Some (but very little) spam gets through. What has worked great for the remaining spam, is cycling through the POST values before sending them, and do a simple check for a URL in any fields that shouldn’t naturally contain any (since most spam wants you to click on a URL, which will only show up as a blue link if it contains http:// or https://):

// for spam, check if string contains a URL
function containsUrl (content) {
  
  return (/(https?:?\/\/)/.test(content));

}

That simple check has worked great also. Obviously proceed with caution and only apply to fields that really would not contain URLs naturally. Thanks again frjo!