This project is not covered by Drupal’s security advisory policy.

Webform Leet Speak Filter (WLF) validates Webform submissions for abusive
language, including evasion techniques such as leet speak character
substitutions, homoglyphs, and repeated character padding.

Features:
- Leet speak normalizer (@→a, 3→e, $→s, v→u, fuuuuck→fuck, fucccck→fuck)
- Word-level exact matching — prevents false positives (ash ≠ ass)
- Per-language word lists for multilingual sites
- Real-time JavaScript detection while the user types
- Server-side PHP validation (works when JS is disabled)
- Configurable error message with @field_label token
- Watchdog logging of blocked submissions with matched word and IP
- Excluded fields list for internal/hidden fields
- Webform Handler plugin — attach per-webform via the Webform UI

Compatible with Drupal 9, 10, and 11.

Installation

Via Composer (Recommended)

composer require drupal/wlsf
drush en webform_leetspeak -y
drush cr

Manual Installation

  1. Download the module from the project page.
  2. Place the folder inside modules/contrib/ in your Drupal root.
  3. Go to Extend (/admin/modules), search for Webform Leet Speak Filter, check the checkbox, and click Install.
  4. Run drush cr or clear caches via Configuration → Performance.

Requirement: The Webform module must be installed before enabling this module.

Configuration

Step 1 — Add your bad words list

  1. Go to Configuration → Webform → Leet Speak Filter
    (/admin/config/webform/webform-leetspeak).
  2. Enter your blocked words in the Global Bad Words List — one word per line.
  3. You only need to enter the base word. The normaliser automatically catches all
    variations — f*ck, fu@k, fvck,
    fuuuuck, fucccck, a$$ are all caught
    by listing fuck and ass.

Step 2 — Configure options

  • Enable real-time JavaScript detection — shows an inline error
    while the user is typing, before the form is submitted. Recommended.
  • Log violations to watchdog — logs every blocked submission
    to Reports → Recent log messages
    (/admin/reports/dblog) with the matched word, field name,
    webform ID, and client IP.
  • Excluded fields — comma-separated list of field machine names
    to skip. Useful for hidden, internal, or token fields that should not be checked.

    Example: internal_notes, honeypot_field, submission_token

Click Save configuration when done.

Attaching the Handler to a Webform

The module works as a Webform Handler — you attach it individually
to each webform you want to protect.

  1. Go to
    /admin/structure/webform/manage/YOUR_WEBFORM_ID/handlers
  2. Click Add handler.
  3. Find Leet Speak Abuse Filter under the
    Validation category and click Add handler.
  4. Click Save on the handler configuration screen
    (no additional configuration required on the handler itself —
    all settings are managed globally at
    /admin/config/webform/webform-leetspeak).
  5. Clear caches: drush cr or
    Configuration → Performance → Clear all caches.

How It Works

The module runs two layers of protection:

  1. Client-side (JavaScript) — detects bad words in real time
    as the user types and shows an inline error immediately below the offending
    field. The form cannot be submitted while an error is active.
  2. Server-side (PHP) — validates every submission on the server
    regardless of whether JavaScript ran. This is the hard safety net — it cannot
    be bypassed by disabling JavaScript or manipulating the browser.

Support This Module

If this module saved you time, consider buying me a coffee!


☕ Support on Ko-fi

Project information

Releases

1.0.1 released 22 June 2026
Works with Drupal: ^9 || ^10 || ^11

Fixed false negative for email-format

Install:

Development version: 1.0.x-dev updated 22 Jun 2026 at 10:16 UTC

Using Composer to manage Drupal site dependencies