Updating hidden/disabled fields / circumvent on load code

Updating hidden/disabled fields / circumvent on load code

I found another bug. It is possible to view, edit and even submit hidden or disabled fields in a form.

Image you have a form with a text field called "hidden_field". You want it only to be edited by script so you put on the two form actions "on edit / on load" and "on add / on load" the code
hide hidden_field;
or
disable hidden_field


Here are the steps to circumvent the execution of this code.

1. Go to the view and press the "edit" button on a record
2. The record will load and show the complete form for a split second.
3. Press the abort button in your browser before the "On load" script is executed.
4. Now you can edit the fields, that should be disabled or hidden.
5. Submit the changes. They will be committed to the database.

So I would suggest the following: Dont update hidden or disabled fields in the submit, or check if all scripts were executed before submitting the data.

Greetings, Mathias