Add hidden nonce (honeypot) field to filter bot autofills on subs page

cmd/public.go

@@ -302,6 +302,14 @@ func handleSubscriptionForm(c echo.Context) error {
 		return err
 	}
 
+	// If there's a nonce value, a bot could've filled the form.
+	if c.FormValue("nonce") != "" {
+		return c.Render(http.StatusOK, tplMessage,
+			makeMsgTpl(app.i18n.T("public.errorTitle"), "",
+				app.i18n.T("public.invalidFeature")))
+
+	}
+
 	if len(req.SubListUUIDs) == 0 {
 		return c.Render(http.StatusBadRequest, tplMessage,
 			makeMsgTpl(app.i18n.T("public.errorTitle"), "",

static/public/static/style.css

@@ -274,6 +274,9 @@ input[type="text"], input[type="email"], select {
 .form .lists {
   margin-top: 45px;
 }
+  .form .nonce {
+    display: none;
+  }
 
 .footer {
   text-align: center;

static/public/templates/subscription-form.html

@@ -8,6 +8,8 @@
             <p>
                 <label>{{ L.T "subscribers.email" }}</label>
                 <input name="email" required="true" type="email" placeholder="{{ L.T "subscribers.email" }}" autofocus="true" >
+
+                <input name="nonce" class="nonce" value="" />
             </p>
             <p>
                 <label>{{ L.T "public.subName" }}</label>