According to this forum post, Gravity Form indeed does server-side validation. But I am still able to inject the POST request right before the submission to change the value.
I feel that there is a need to do server-side validation to minimise security risk, but there are no available plugins or open source code.
What are you injecting in the $_POST? Is it a security issue, or just that the $_POST can be modified? Do you have an example use-case or concern?
Hi Chris,
Thanks you for your reply. Yes, there is a security risk where malicious code/command can be injected into each field on submission as there is no backend validation done. I am currently using a tool to inject the request.
E.g:
=cmd|'/C calculator.exe'!A0
-----------------------------
Content-Disposition: form-data; name="input_19"
Thank you for the clarification. Can you please submit a support ticket here?
https://www.gravityforms.com/open-support-ticket/technical/
Thank you.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.