Hey guys! I'm developing the next version of the official reCAPTCHA plugin. As most of you know, reCAPTCHA is a clever CAPTCHA method in which words that industry level OCR scanners couldn't read are used to construct the CAPTCHAs (Meaning that home-made spam bots who also use OCR libraries to try to read the CAPTCHAs will have a harder time if not impossible). There are many libraries and plugins available for reCAPTCHA and I'm working on the WordPress one.
It is available here. If you want to install it to try it out (Like I said this isn't the final release yet) and already have the old reCAPTCHA plugin (Version 2.7 or below), the folder is named differently so you can simply upload this one, disable the old one and then enable this one (They also use different options variables so there won't be any conflicts as far as that goes).
I have added a whole ton of new features to this new version so far and I would really like to know what you guys think: suggestions, criticisms, whatever. You can find more information about the plugin here. Aside from having the ability to show reCAPTCHA for comment spam protection and for registration spam protection, there is also the ability to hide emails from spammers using MailHide, a spam protection method also by reCAPTCHA.
This is NOT the final version of the plugin but I would like you guys to try it out if you don't mind to tell me what you think.
Among the few things that I have yet to work out are whether or not I should include a separate stylesheet for this plugin. I believe that having a separate stylesheet for this plugin (The one included in the plugin folder, recaptcha.css) is more intuitive since users will be able to easily edit it, after all it's not that big or complicated. Ben Maurer, the software architect for reCAPTCHA that contacted me to write this plugin, thinks that it will just create more overhead and a performance impact. I know it will, but I believe that considering the trade-off between intuitiveness and the small overhead (Again it's a small stylesheet), it will be negligible.
Among the things included in the stylesheet are the styling of the classes which are (1) applied to hidden emails (If MailHide is enabled), (2) incorrect CAPTCHA notification, (3) styling of the registration form for when reCAPTCHA is to be shown there, and finally (4) the administration options. I believe 3 and 4 can be inlined (Like he wants) without any or little implications on user freedom (To style it how they want) but the reason I didn't inline them was because some XHTML Standards-knowing people advised me against it. For 1 and 2 I can simply apply the class and explain somewhere which classes can style what so that they can edit their own theme's stylesheet. I'm already doing this for the hidden email styling class emailrecaptcha, I'm stating it in the administration options.
What do you guys think I should do: Not include the separate stylesheet for styling anything reCAPTCHA related all in one spot or not include it to remove any overhead that might occur (On my blog there seems to be none at all).
Cross Site Scripting (XSS)
For the MailHide sections I use regular expressions to scan for emails and hide them accordingly. Ben Maurer states:
Unfortunately (And embarrassingly) I'm no expert in XSS and so I'd like to ask for your help. The regular expressions start at line 134 in function mh_insert_email. I did change the regular expressions after he told me this but I don't know if they're still vulnerable. I ran a vulnerability scanner on it by Acunetix and it didn't find any risks, but I don't know how reliable that is.
Thanks again and sorry for the long post. Please tell me what you think!