Prevent ajax form submission from consoleBrowser Info Environment
In my case the forms is for redeeming a rebate, so such a submission would create a vulnerability as even though there is an admin issuing the actual rebates, a conformation email sent to a fraudulent user would create a claim for rebate, and extra validation/verification work.
Do I need to add another level of validation and can it still be ajax?
What you are doing likely should be it's own custom question type that sends/saves a random code to the logged in user on form submit.(only logged in users can use it, this ensures that the email it is sent to is valid and not hacked) Then a single page with controller to redeem only once and mark that code as "used".
We would likely charge $350 to create this functionality for you.
I by no means have a grasp on all the proforms code, so I might be missing something
I think this is doable. Although, this is not something I will get to within the next day or so.
Not inventing anything here, just looking at the advanced forms implementation, they have the action of the form set to a helper in the /tools which validates and saves if the validation passes, and they ajax to that helper (in the view.php), and that seems to solve the console issue, for even if you make a fancy ajax call with data, more meaningful validation can developed in helper as needed
Other then that I think proform have a huge advantage of doing everything the concrete5 way, with attributes etc and I want to use it for the proj
Hope I make seance and not wasting your time
For anybody who is interested and needs advanced security/validation in post can extend the validate_post function in the block controller.