Bugfix 859816: DataForm - security issues

docs/changelog/6.x.x.txt

@@ -22,5 +22,6 @@
    (Thanks to Mihai Bazon.)
  - Updated the Form subsystem to use the new calendar for date and time
    fields.
+ - Bugfix 859816 : DataForm - security issues. Tnx Gabor for reporting.
 
 

lib/WebGUI/Wobject/DataForm.pm

@@ -615,8 +615,9 @@ sub www_process {
 	my $sth = WebGUI::SQL->read("select DataForm_fieldId,label,name,status,type,defaultValue,isMailField from DataForm_field 
 		where wobjectId=".$_[0]->get("wobjectId")." order by sequenceNumber");
 	while (%row = $sth->hash) {
-		my $value = WebGUI::FormProcessor::process($row{name},$row{type},$row{defaultValue});
+		my $value = $row{defaultValue};
 		if ($row{status} eq "required" || $row{status} eq "editable") {
+			$value = WebGUI::FormProcessor::process($row{name},$row{type},$row{defaultValue});
 			$value = WebGUI::Macro::filter($value);
 		}
 		if ($row{status} eq "required" && ($value =~ /^\s$/ || $value eq "" || not defined $value)) {