[SS-2016-010] FIX Form@httpSubmission will no longer load submitted data to disabled or readonly fields

This commit is contained in:
Daniel Hensby 2016-11-11 15:36:56 +00:00
parent 61e4055bdb
commit 4440b88730
No known key found for this signature in database
GPG Key ID: B00D1E9767F0B06E

View File

@ -319,8 +319,21 @@ class Form extends RequestHandler {
$vars = $request->requestVars();
}
// construct an array of allowed fields that can be populated from request data.
// readonly or disabled fields should not be loading data from requests
$allowedFields = array();
$dataFields = $this->Fields()->dataFields();
if ($dataFields) {
/** @var FormField $field */
foreach ($this->Fields()->dataFields() as $name => $field) {
if (!$field->isReadonly() && !$field->isDisabled()) {
$allowedFields[] = $name;
}
}
}
// Populate the form
$this->loadDataFrom($vars, true);
$this->loadDataFrom($vars, true, $allowedFields);
// Protection against CSRF attacks
$token = $this->getSecurityToken();