[SS-2016-010] FIX Form@httpSubmission will no longer load submitted d…

…ata to disabled or readonly fields
silverstripe · Nov 14, 2016 · 4440b88 · 4440b88
1 parent 61e4055
commit 4440b88
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/forms/Form.php b/forms/Form.php
@@ -319,8 +319,21 @@ public function httpSubmission($request) {
 			$vars = $request->requestVars();
 		}
 
+		// construct an array of allowed fields that can be populated from request data.
+		// readonly or disabled fields should not be loading data from requests
+		$allowedFields = array();
+		$dataFields = $this->Fields()->dataFields();
+		if ($dataFields) {
+			/** @var FormField $field */
+			foreach ($this->Fields()->dataFields() as $name => $field) {
+				if (!$field->isReadonly() && !$field->isDisabled()) {
+					$allowedFields[] = $name;
+				}
+			}
+		}
+
 		// Populate the form
-		$this->loadDataFrom($vars, true);
+		$this->loadDataFrom($vars, true, $allowedFields);
 
 		// Protection against CSRF attacks
 		$token = $this->getSecurityToken();