From a62d7c3fbe6302418f300ea5575a1e1eb7803f2a Mon Sep 17 00:00:00 2001
From: Len Kranendonk <len@webgui-svn>
Date: Sun, 14 Dec 2003 12:32:34 +0000
Subject: [PATCH] Bugfix 859816: DataForm - security issues

---
 docs/changelog/6.x.x.txt       | 1 +
 lib/WebGUI/Wobject/DataForm.pm | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/changelog/6.x.x.txt b/docs/changelog/6.x.x.txt
index c17e732a6..35ab94910 100644
--- a/docs/changelog/6.x.x.txt
+++ b/docs/changelog/6.x.x.txt
@@ -22,5 +22,6 @@
    (Thanks to Mihai Bazon.)
  - Updated the Form subsystem to use the new calendar for date and time
    fields.
+ - Bugfix 859816 : DataForm - security issues. Tnx Gabor for reporting.
 
 
diff --git a/lib/WebGUI/Wobject/DataForm.pm b/lib/WebGUI/Wobject/DataForm.pm
index 13ed0dec5..41d580a41 100644
--- a/lib/WebGUI/Wobject/DataForm.pm
+++ b/lib/WebGUI/Wobject/DataForm.pm
@@ -615,8 +615,9 @@ sub www_process {
 	my $sth = WebGUI::SQL->read("select DataForm_fieldId,label,name,status,type,defaultValue,isMailField from DataForm_field 
 		where wobjectId=".$_[0]->get("wobjectId")." order by sequenceNumber");
 	while (%row = $sth->hash) {
-		my $value = WebGUI::FormProcessor::process($row{name},$row{type},$row{defaultValue});
+		my $value = $row{defaultValue};
 		if ($row{status} eq "required" || $row{status} eq "editable") {
+			$value = WebGUI::FormProcessor::process($row{name},$row{type},$row{defaultValue});
 			$value = WebGUI::Macro::filter($value);
 		}
 		if ($row{status} eq "required" && ($value =~ /^\s$/ || $value eq "" || not defined $value)) {