Thread: Users can bypass field requirements and format restrictions when submitting ads

Users can bypass field requirements and format restrictions when submitting ads

Here is how you can reproduce this bug, still present in CP 3.3.3 although it was reported prior to the release of 3.3.1 (here).

Go to a ClassiPress site. You can use the AppThemes demo site to witness the bug, although they don't allow posting of actual ads so you won't be able to do the final step.

1. Start creating a new ad. Select a category (e.g. Auto > Boats > Sail boats).

2. Notice “Title”, “Price”, “State” , “City”, and “Description” are required (the fields have asterisks).

3. Fill out all of those fields except for “Price” (leave that one blank).

4. Use a live HTML inspector (e.g. in FireFox, right-click the “Price” field and press “Q”; or use Firebug) to remove the “required” class from the “cp_price” <input> element. See screenshot below:

edit-html.png

5. Click the “Continue” button to submit the form.

6. Notice the “Price” field is empty in the “Review Your Listing” page (see screenshot below). Whatever server-side validation was done to the field didn’t catch it.

review-listing.png

Final Step:

Since the ClassiPress demo site won’t allow visitors to post ads, I performed the above steps on another ClassiPress-based site I found online. I was able to post an ad without a required price.

ad-without-price.png

Another way to say this: AppThemes is relying on CLIENT-SIDE validation instead of SERVER-SIDE validation before inserting data into the database. Users can circumvent our custom field rules using the steps above.