Privacy & rules check boxes not validated
The various check boxes which can be enabled on the registration form....
I Agree to Receive an Email Confirmation
I Accept Forum Rules
None of these checkboxes are validated server side, so if a browser doesn't support the 'required' html tag or a user removes it, you can submit the form without these checked.
This is a pretty serious issue as it allows GDPR 'must-tick' boxes to be avoided and users would be sent emails without the necessary record of acceptance.
Solution: Any fields which are added in a form as 'required' should be validated server side.
I appreciate this is not an easy fix, but it is key to ensuring the correct legal position with GDPR.
The "require" attribute is supported on all browsers, even it's supported on IE 10.
- Firefox: from 6+ (current version 66.x.x)
- Safari: from 4+ (current version 12.x.x)
- Chrome: from 6+ (current version 72.x.x)
- Opera: from 10.6+ (current version 58.x.x)
- IE: from 10+ ( IE 11 is very rare, currently it's the Edge 42.x.x)
- Android: from 2.3 (current version 19.x.x)
So the versions from where it's started to be supported is so old then you almost have no chance to find them. We don't support older browser versions, it's out of all rules for sure.
user removes it, you can submit the form without these checked. This is a pretty serious issue as it allows GDPR 'must-tick' boxes to be avoided and users would be sent emails without the necessary record of acceptance.
User removes it? This checkbox is not designed to save or transfer data, so you don't need to worry. If user is a hacker and he/she removes the checkbox it doesn't mean he/she didn't accepted rules. Removing checkbox cannot be an argument to say "I registered without accepting". This is an illegal action so it can't make any problem with GDPR. So, the idea is this:
1. The checkbox exists.
2. It doesn't allow to submit form without accepting, because it's a required field.
3. So there is no any legal way to submit this form legally without checking the checkbox, and this is truth.
And yes, there maybe some user, who uses IE 5 on Windows 2000. But I think the GDPR low will not judge you for this. You can easily say all web softwares don't support this browser version...