Back to full news list


Eloqua form security updates: four things you should do right away

Date: 11 May 2017

Over the last few releases, we have seen a number of security updates to the Eloqua forms editor, and there are more on the way later this month.

Most of the recent changes have been centered around preventing malicious form data from being written to the Eloqua database or being used to populate field merges in emails. Overall, these changes are positive because they will reduce the chances of your assets being used as part of a Phishing attack, but they do require you to take some proactive steps to avoid legitimate form submissions being blocked.

A quick summary of the recent changes

February 2017

Server side validation is enabled on all forms. Any form submissions which do not meet field validation criteria will be rejected by Eloqua. Also, validation is added to all new form fields to prevent visitors from submitting URLs.

April 2017

New validation rules are applied to all new form fields to limit submissions to 35 characters.

May 2017

Domain whitelisting tool will be enabled to regulate domains use for form redirects, form integration, tracking script testing and the Eloqua Web Crawler.

The main thing to be aware of with these changes is that there is no easy way to see the form submissions they are blocking.

Most of the measures have been implemented using Eloqua’s form validation functionality, which prevents any submissions that fail the validation criteria from reaching your database. This is great when you are trying to prevent spam submissions, but it presents a challenge when you are trying to track down legitimate submissions that have been inadvertently prevented. Since you can’t see the submissions that are triggering these rules, our advice is to be as proactive as possible in making sure your forms play nicely with the new security measures.

The four things you can do right now

1. Ensure your Domain Whitelist is up to date

In this month’s release (488), Eloqua will start enforcing the rules configured in the Domain Whitelist tool that was added to the security configuration area a few months ago. Once this is in effect, Eloqua forms will only be able to redirect visitors to domains on the whitelist. It is important to review your currently active forms and ensure that any domains that you are using in your redirect steps are also on the whitelist.

2. Make sure your form validation and your page validation match

Eloqua automatically applies validation to any new form fields you create to prevent visitors from entering URLs or values over 35 characters long. If you are writing the HTML for your form outside of Eloqua, the JavaScript validation on your page may not include these criteria. You will want to either disable this validation on your form in Eloqua or add it to the scripts on your web page to ensure that visitors are warned when they try to submit invalid data.

3. Use Form Templates

It is easy to overlook the validation settings on your form fields when creating a new form. If you have a large team working in the application, it’s likely that someone will forget to modify the validation criteria on a form field, resulting in lost submissions. You can avoid this by taking advantages of Eloqua’s template feature. Once you decide which fields you would like to remove Eloqua’s default validation from, you can create a form template with the validation settings preconfigured. Any forms created from this template will keep the validation settings that you configure, and will not require the field settings to be modified each time a new form is created.

4. Use a descriptive Validation Failure Page

The Validation Failure Page is an often overlooked setting on Eloqua forms. This page, selected at the top of the editor, is what visitors will see if they submit data which does not meet the validation criteria specified in the form. This landing page should make it clear to visitors that there was an issue with their submission, and instruct them to correct any invalid information and resubmit the form.

Need a helping hand?

MarketOne will gladly assess the potential business impact of the changes on your Eloqua forms. With API access we can provide this analysis within just a couple of days. You’ll get a full assessment of the risks and prescriptive guidance on how to mitigate them. Just contact your account manager or technical contact, or get in touch via our contact page.