Since then we've been evaluating the idea of presenting and handling the form ourselves, so we can write and enforce our own spam-filter rules, then using an API to insert them into Marketo. No reports available from that effort, yet; we're still evaluating the Marketo APIs for usability and fitness for that purpose.
You can also add code to do your own custom validation right in Marketo. Just look up the form.onValidate examples. We wrote a validation routine and put it in a snippet that we drag onto the landing pages that need the validation.
While we've done some very elegant things with the Forms 2.0 API, that's still client-side validation. Client-side validation is all bypassed by bots (or any noscript environment). If bots are a direct problem, that's not the solution.
Am I understanding correctly:
- Bot spammers often bypass client-side validation on Marketo forms (including default Marketo validation and any custom JS/CSS I've added) so that's useless against anything but the most basic spam bots,
- Marketo has no server-side validation measures in place so there's no protection offered there,
- Marketo has known about this vulnerability for 4 years now and hasn't done anything to fix it?
Do we know if this critical security flaw been resolved? or its been 6+ years and Marketo has made no progress?
Escape your output. That's how you deal with untrusted input (always).
Exactly what vulnerability exists when you properly escape output?
(And all user-supplied input should be considered untrusted, regardless of whether it's said to be "sanitized".)