We use MktoForms2 on our site to embed Marketo forms into our site. We have some antispam features built into our site that prevent a form submission, such as reCaptcha from google, some honeypot fields, and other field validations.
However I've realized that all of this can be bypassed easily by a spammer if the spammer issues their own commands to the MktoForms2 JS API.
For example the following code could be used:
MktoForms2.loadForm( baseUrl, munchkinId, formId );
MktoForms2.whenReady( function( form ) {
form.addHiddenFields( { test : 'test' } );
form.submit();
});
The hidden fields could contain any valid marketo field name, and this would submit directly to Marketo bypassing any antispam in use on our site. The page this is executed on doesn't even need to have a form on it already, it just needs the MktoForms2 JS API to be loaded.
A possible solution for this would be for a token to be generated server-side that must be then sent along with the form submission to Marketo and verified by Marketo for the submission to be successful.
.png)