Added form key validation to Contacts form

OpenMage · Apr 5, 2023 · b5835c8 · b5835c8
1 parent fa2b8c3
commit b5835c8
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 14 deletions.
diff --git a/app/code/core/Mage/Contacts/controllers/IndexController.php b/app/code/core/Mage/Contacts/controllers/IndexController.php
@@ -59,25 +59,24 @@ public function postAction()
             /** @var Mage_Core_Model_Translate $translate */
             $translate->setTranslateInline(false);
             try {
+                if (!$this->_validateFormKey()) {
+                    Mage::throwException($this->__('Invalid Form Key. Please submit your request again.'));
+                }
+
                 $postObject = new Varien_Object();
                 $postObject->setData($post);
 
                 $error = false;
-
                 if (!Zend_Validate::is(trim($post['name']), 'NotEmpty')) {
                     $error = true;
-                }
-
-                if (!Zend_Validate::is(trim($post['comment']), 'NotEmpty')) {
+                } elseif (!Zend_Validate::is(trim($post['comment']), 'NotEmpty')) {
                     $error = true;
-                }
-
-                if (!Zend_Validate::is(trim($post['email']), 'EmailAddress')) {
+                } elseif (!Zend_Validate::is(trim($post['email']), 'EmailAddress')) {
                     $error = true;
                 }
 
                 if ($error) {
-                    throw new Exception();
+                    Mage::throwException($this->__('Unable to submit your request. Please, try again later'));
                 }
                 $mailTemplate = Mage::getModel('core/email_template');
                 /** @var Mage_Core_Model_Email_Template $mailTemplate */
@@ -92,19 +91,22 @@ public function postAction()
                     );
 
                 if (!$mailTemplate->getSentSuccess()) {
-                    throw new Exception();
+                    Mage::throwException($this->__('Unable to submit your request. Please, try again later'));
                 }
 
                 $translate->setTranslateInline(true);
 
-                Mage::getSingleton('customer/session')->addSuccess(Mage::helper('contacts')->__('Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.'));
+                Mage::getSingleton('customer/session')->addSuccess($this->__('Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.'));
                 $this->_redirect('*/*/');
 
                 return;
-            } catch (Exception $e) {
+            } catch (Mage_Core_Exception $e) {
                 $translate->setTranslateInline(true);
-
-                Mage::getSingleton('customer/session')->addError(Mage::helper('contacts')->__('Unable to submit your request. Please, try again later'));
+                Mage::logException($e);
+                Mage::getSingleton('customer/session')->addError($e->getMessage());
+            } catch (Throwable $e) {
+                Mage::logException($e);
+                Mage::getSingleton('customer/session')->addError($this->__('Unable to submit your request. Please, try again later'));
                 $this->_redirect('*/*/');
                 return;
             }

diff --git a/app/design/frontend/base/default/template/contacts/form.phtml b/app/design/frontend/base/default/template/contacts/form.phtml
@@ -18,6 +18,7 @@
     <h1><?php echo Mage::helper('contacts')->__('Contact Us') ?></h1>
 </div>
 <form action="<?php echo $this->getFormAction(); ?>" id="contactForm" method="post">
+    <?php echo $this->getBlockHtml('formkey') ?>
     <div class="fieldset">
         <h2 class="legend"><?php echo Mage::helper('contacts')->__('Contact Information') ?></h2>
         <ul class="form-list">

diff --git a/app/design/frontend/rwd/default/template/contacts/form.phtml b/app/design/frontend/rwd/default/template/contacts/form.phtml
@@ -18,6 +18,7 @@
     <h1><?php echo Mage::helper('contacts')->__('Contact Us') ?></h1>
 </div>
 <form action="<?php echo $this->getFormAction(); ?>" id="contactForm" method="post" class="scaffold-form">
+    <?php echo $this->getBlockHtml('formkey') ?>
     <div class="fieldset">
         <h2 class="legend"><?php echo Mage::helper('contacts')->__('Contact Information') ?></h2>
         <p class="required"><?php echo Mage::helper('contacts')->__('* Required Fields') ?></p>

diff --git a/app/locale/en_US/Mage_Contacts.csv b/app/locale/en_US/Mage_Contacts.csv
@@ -10,9 +10,10 @@
 "Email Sender","Email Sender"
 "Email Template","Email Template"
 "Enable Contact Us","Enable Contact Us"
+"Invalid Form Key. Please submit your request again.","Invalid Form Key. Please submit your request again."
 "Name","Name"
 "Send Emails To","Send Emails To"
 "Submit","Submit"
 "Telephone","Telephone"
-"Unable to submit your request. Please, try again later","Unable to submit your request. Please, try again later"
+"Unable to submit your request. Please, try again later","Unable to submit your request. Please, try again later."
 "Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.","Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us."