Orbeon Forms
Comment on page


Which captcha is right for you

reCAPTCHA is almost a de facto standard on the web: more than a million reCAPTCHA are solved every day, it is used by a large number of mainstream sites, like Facebook, and is constantly updated providing a high level of security. Since 2009, this service is owned by Google.
Because of the high level of safety provided by reCAPTCHA, we recommend you use it, unless doing so isn't possible in your situation. Maybe, for instance, you don't want the server on which Orbeon Forms runs to connect to any external service, which the reCAPTCHA component does to verify the answer provided. If you can't use the reCAPTCHA, Orbeon Forms provides an alternate component, SimpleCaptcha, which runs entirely within Orbeon Forms, without the need to connect to any external server.


Both the fr:recaptcha and fr:simple-captcha components support the same events:
  1. 1.
    Verifying the answer entered by users — Both components don't include a Verify button that triggers the value entered by users to be checked. This is to give more control to you, the form author, as to when the verification is done. For instance, you might want to verify the captcha when users click on a Save button on your form. To trigger the value to be verified, dispatch a fr-verify event to the captcha.
  2. 2.
    Verification succeeded — When the verification succeeds, the component dispatches a fr-verify-done event. The example below, using the reCAPTCHA, listens to that event to run a submission.
  3. 3.
    Verification failed — When the verification fails, you get the fr-verify-error event. The example below, using the reCAPTCHA, listens to that event to show a case id failure-case (which might tell users the verification failed).
  4. 4.
    Loading another captcha — Specifically for the reCAPTCHA, as part of the context information for the fr-verify-error event, you get an error code, which you can access with event('fr-error-code'). This is the error code returned by the reCAPTCHA API, which is a string. Its value can either be:
    • empty — this tells you users didn't provide any answer. When that happens, you could notify users and keep the same challenge.
    • One of the values listed in the reCAPTCHA API documentation (look for the table under Error Code Reference). When this happens, you could notify users, and need to change the challenge by dispatching fr-reload to the reCAPTCHA. (For added safety, the reCAPTCHA won't let users try to solve the same captcha multiple times.)
      <fr:recaptcha id="my-captcha">
      <xf:send ev:event="fr-verify-done" submission="save-submission"/>
      <xf:action ev:event="fr-verify-error">
      <xf:toggle case="failure-case"/>
      <xf:dispatch target="my-captcha" name="fr-reload"/>


Supported version

Orbeon Forms supports the reCAPTCHA v2 since Orbeon Forms 2018.1 and 2017.2.2. Google stopped supporting the reCAPTCHA v1 used by earlier versions of Orbeon Forms after March 31, 2018. Hence, if you're using the reCAPTCHA, and are using an older version of Orbeon Forms, you'll want to upgrade to a newer version which supports reCAPTCHA v2.


You can use this component to show users a captcha, like the one shown in the following screen shot:
  1. 1.
    First, you need to sign up with reCAPTCHA to get your own public/private key pair.
  2. 2.
    Store your public key (now called "site key") and private key in your properties, as follows:
  3. 3.
    Add the reCAPTCHA component to your form:
    • For forms you're creating in Form Builder, enable the reCAPTCHA by setting the following property:
    • For forms you're creating by writing XForms "by hand", add the component to your form as follows. You'll also want to add handlers for the fr-verify-done and maybe fr-verify-error events.
      <fr:recaptcha id="my-recaptcha"/>


You can configure:
  • The theme using properties, either:
    • For forms you're creating with Form Builder, with:
    • For forms you're creating by writing XForms "by hand", with:
  • The language with the lang attribute on the <html> element.
See the reCAPTCHA documentation, under Look & Feel Customizations for more information on the possible values for the theme and lang properties.


You can use this component to show users a captcha, like the one shown in the following screen shot:
To use this component, where you want the captcha to show in your form, add:
<fr:simple-captcha id="my-simple-captcha">
Most likely, you'll want to add code dispatching an fr-verify event to your component to trigger a verification, and listeners on the fr-verify-done and fr-verify-error events. For more information on this, see the section Events above.

See also