Server not blocking Honeypot field when JavaScript is disabled

  • Profile Image
    Asked on August 15, 2013 at 09:17 AM

    When JavaScript is disabled, the server does not reject form submissions that have the "website" field filled out:

          <li style="display:none">
           Should be Empty:
           <input type="text" name="website" value="" />

    I tested this by changing the CSS "display" property to "block" and then filling out the input. The form gets submitted and I'm receiving the results in my inbox.
  • Profile Image
    Answered on August 15, 2013 at 01:55 PM

    I am not sure if I understood correctly, do you want to prevent the form being submitted when a certain field is filled out?

    I looked into your contact form which is the only one in your account and could not find the "Honeypot" field

    Can you please provide more details and describe in a more detailed way the desired scenario?

  • Profile Image
    Answered on August 15, 2013 at 02:48 PM

    Correct. I want the server to reject the form when the field "website" is filled out. This rejection should happen on the server end.

    That code snippet comes directly from the downloaded source code (from the menu: "Embed Form" > "Source" > "You can also download a compressed and refined version with separate .css and .js files from here"). 

    I think I reasonably assumed the purpose of the "website" field, enclosed in an element which has "display:none:", was to be a "Honeypot" field — especially because of the presence of the "Should be Empty:" text next to it.

    The technique I want to achieve is explained here, among other places:

  • Profile Image
    Answered on August 15, 2013 at 05:43 PM

    The process given from the website simply tells you to hide the confirmation email field, then if the field is filled out, that means it is a SPAM message from Spam Bots.

    You can do that with our Form. Add another field, hide that field using custom CSS injection. Example:

    Form with the visible field:

    Form without the visible field:

    We can do a tweak, using our Conditional Logic, Hide the Submit Button when that field is filled.

    As you could see, the field is hidden from the editor but you can still see it when setting up a Conditional Logic (Conditional Logic on Forms).

    To simulate and or see the action when the field is filled out, see this URL:! (using URL parameters).

    Let us know if you are confuse about the process and or if you have any further questions for this process.


  • Profile Image
    Answered on August 16, 2013 at 02:13 AM

    I tried what you suggested, Welvin. As I suspected however, that functionality relies on JavaScript (I tested the form with JavaScript deactivated in my browser). As most (if not all) spambots don't process JavaScript and CSS, this would have minimal effect.

    The description of the honeypot technique might be clearer here:

    In this example, specifically, it's the PHP that is blocking the submission:

    if(isset($_REQUEST'honeypot') && $_REQUEST'honeypot' && $_REQUESThoneypot' != '')
    //Don't send the form
    //Send the form

    Obviously this is just an example and geniune code needs to go in there.

    Again, I'm seriously wondering what's the purpose of this code snippet in the downloaded code from Jotform if it ain't for this very specific reason:

          <li style="display:none">
           Should be Empty:
          <input type="text" name="website" value="" />

    Just to make it clear: I have not created this field — it has been generated by JotForm. If you check on other people's forms, you'll also find the same snippet of code in their forms. It's even in the examples you supplied, if you look at the rendered page's HTML source code.
  • Profile Image
    Answered on August 16, 2013 at 03:30 PM


    I have no clear explanation about that codes, but I guess that's part of tracking to who accessed the form and should always be hidden which is sometimes called an empty element. I will try to reach our developers about this and let you know better later today.

    The honeypot technique seems new to me. There should be more explanation on how to use it. I have tried to do it using the form source codes but I am still able to receive the form email. I'll try to come up with this idea and give you the working example.


  • Profile Image
    Answered on September 07, 2013 at 01:00 AM


    Do you still need help regarding this matter? If yes, you can use the following.

    Here I came up with a pure javascript code. Just add it at the bottom of your entire form source code, after the ending </form> tag.

    <script type="text/javascript">

    var emptyfield = document.getElementsByName("website");

    formz = document.getElementsByTagName("form");

    formz[0].onsubmit = function(){

    if (emptyfield[0].value != ""){

      alert ("Spammers alert!"); //trigger alert

      console.log("form cannot be sent"); //print log

      return false; //unsubmit form


    return true; //submit form




    Also, you do not need to worry on the browsers with disabled javascript. Jotform has its own ability to detect it and redirect the form to a captcha page if javascript is disabled.

    Hope this helps. Thanks!