tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

[SS-2016-010] FIX Form@httpSubmission will no longer load submitted data to disabled or readonly fields

Browse Source
This commit is contained in:
Daniel Hensby 2016-11-11 15:36:56 +00:00
parent 61e4055bdb
commit 4440b88730
No known key found for this signature in database
GPG Key ID: B00D1E9767F0B06E
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
forms/Form.php
View File

@ -319,8 +319,21 @@ class Form extends RequestHandler {
$vars = $request->requestVars(); $vars = $request->requestVars();
} }
// construct an array of allowed fields that can be populated from request data.
// readonly or disabled fields should not be loading data from requests
$allowedFields = array();
$dataFields = $this->Fields()->dataFields();
if ($dataFields) {
/** @var FormField $field */
foreach ($this->Fields()->dataFields() as $name => $field) {
if (!$field->isReadonly() && !$field->isDisabled()) {
$allowedFields[] = $name;
}
}
}
// Populate the form // Populate the form
$this->loadDataFrom($vars, true); $this->loadDataFrom($vars, true, $allowedFields);
// Protection against CSRF attacks // Protection against CSRF attacks
$token = $this->getSecurityToken(); $token = $this->getSecurityToken();