From bb10883a06e3066eeafa1393dd13bac667f0bc5f Mon Sep 17 00:00:00 2001
From: Torben Hansen <derhansen@gmail.com>
Date: Wed, 17 Sep 2025 19:42:56 +0200
Subject: [PATCH] [TASK] Require __hp field in arguments when honeypot
 spamcheck enabled

When the honeypot spamcheck is enabled, the `__hp` field
is automatically rendered as invisible field in the
frontend. The spamcheck currently only checks, if the
content of the field is not empty. The field can however
be completely omitted in the POST request, so spambots
may more easily find out, that the `__hp` field should
not be sent in the POST request.

This change hardens the honeypot spamcheck by requiring
the `__hp` field to be present in the POST request. If
the field is omitted, the spamcheck will fail.
---
 Classes/Domain/Validator/SpamShield/HoneyPodMethod.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Classes/Domain/Validator/SpamShield/HoneyPodMethod.php b/Classes/Domain/Validator/SpamShield/HoneyPodMethod.php
index 88f9132c1..7e16c3782 100644
--- a/Classes/Domain/Validator/SpamShield/HoneyPodMethod.php
+++ b/Classes/Domain/Validator/SpamShield/HoneyPodMethod.php
@@ -15,6 +15,6 @@ class HoneyPodMethod extends AbstractMethod
      */
     public function spamCheck(): bool
     {
-        return !empty($this->arguments['field']['__hp']);
+        return !isset($this->arguments['field']['__hp']) || !empty($this->arguments['field']['__hp']);
     }
 }