[Forminator] Hidden fields are edible by users

On Forminator plugin, when a hidden field is used, for example, the User ID, this field can easily be edited on page source code so anybody could change the user id and email on submitting the form, it must be unable to be edited or validated on submit.

  • Adam Czajczyk
    • Support Gorilla

    Hello Ben

    I hope you’re well today!

    The “hidden field’ is exactly what it is – an “input” field of type “hidden” and it doesn’t imply it’s not “editable”. It’s just invisible, just like in regular HTML and/or in any other form that contains that type of field.

    It’s just one of possible input types:

    https://www.w3schools.com/html/html_form_input_types.asp.

    It’s hardly a bug because that’s exactly what “type=hidden” is and is expected to be. Whether it’s editable or not, that would be set by restrictions attribute such as “disabled” which is a different thing and, in fact, could also be easily edited in page source.

    However, I can see the point and I do see why it would be good to be able to set it as non-editable in addition to being invisible. That’d be a new feature but quite a useful one and should also be relatively simple to implement. I have already passed the suggestion to our developers so they’d look into it.

    Thank you for suggesting that!

    Best regards,

    Adam

  • Ben
    • The Reaper

    I can see the point and I do see why it would be good to be able to set it as non-editable in addition to being invisible

    Good. Yes, people putting this in their form being unaware and thinking it’s a reliable form of data by assuming that wpmudev could possibly be validating that data (because they could and its the right thing to do when its possible and like you said not that hard to impiment and one would assume they would because again its the obvious thing to do)…highly dangerous :smiley:

  • Ben
    • The Reaper

    I know i am being critical to the development of whatever plugin I’m using…but I’m always very specific and constructive. That said, this plugin has plugin has fantastic potential and i can see a lot of thought has gone into it, I actually have many more ideas for it but would like the baseline of reliability and security to be handled first.

  • Adam Czajczyk
    • Support Gorilla

    Hi Ben

    Actually, meanwhile I got confirmation from our Forminator team that they’ll work on it so we’ve already put it on future improvements list and our developers will work on adding server-side validation for such hidden fields .

    I don’t have ETA but at least I got confirmation so I hope that’s a good news :slight_smile:

    Best regards,

    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.