diff --git a/docs/changelog/6.x.x.txt b/docs/changelog/6.x.x.txt
index c17e732a6..35ab94910 100644
--- a/docs/changelog/6.x.x.txt
+++ b/docs/changelog/6.x.x.txt
@@ -22,5 +22,6 @@
    (Thanks to Mihai Bazon.)
  - Updated the Form subsystem to use the new calendar for date and time
    fields.
+ - Bugfix 859816 : DataForm - security issues. Tnx Gabor for reporting.
 
 
diff --git a/lib/WebGUI/Wobject/DataForm.pm b/lib/WebGUI/Wobject/DataForm.pm
index 13ed0dec5..41d580a41 100644
--- a/lib/WebGUI/Wobject/DataForm.pm
+++ b/lib/WebGUI/Wobject/DataForm.pm
@@ -615,8 +615,9 @@ sub www_process {
 	my $sth = WebGUI::SQL->read("select DataForm_fieldId,label,name,status,type,defaultValue,isMailField from DataForm_field 
 		where wobjectId=".$_[0]->get("wobjectId")." order by sequenceNumber");
 	while (%row = $sth->hash) {
-		my $value = WebGUI::FormProcessor::process($row{name},$row{type},$row{defaultValue});
+		my $value = $row{defaultValue};
 		if ($row{status} eq "required" || $row{status} eq "editable") {
+			$value = WebGUI::FormProcessor::process($row{name},$row{type},$row{defaultValue});
 			$value = WebGUI::Macro::filter($value);
 		}
 		if ($row{status} eq "required" && ($value =~ /^\s$/ || $value eq "" || not defined $value)) {