You are viewing limited content. For full access, please sign in.

Question

Question

Disable Forms backend validation

Forms
Updated June 9, 2021
asked on October 30, 2018

How can we disabled this globally? I am having to train everyone to turn it off for every form, because when it executes it has a chance to trash the entire submission and does not even explain which field triggered or why when it does. I am also not sure what it does to improve use-ability, since validation is handled at the field level and works even with this option disabled.

0 0

Replies

replied on October 30, 2018

Back-end validation is in place to ensure a user doesn't maliciously try to bypass front-end validation to send dangerous values to the Forms back-end. It verifies on the back-end that all values still meet the given requirements. 

Currently, there isn't a global default setting for this feature because it is important for safety and security. Understandably, in the rare cases where a front-end error gets through and a back-end error is thrown, it is frustrating that the whole form submission is compromised.  We will consider this pain point as something that can be enhanced in a future release. 

0 0
replied on October 30, 2018

What percentage of forms users are sophisticated enough to be able to "maliciously try to bypass front-end validation"?

For public facing forms I understand the risk and the need for it. But I'd bet a lot of money that the vast majority of forms that are currently in use are internal forms. That's why it makes more sense to have it turned off by default, and prompt the user to turn it on for the starting form of the BP when they make it public.

The way it's implemented is also very user-hostile. Instead of redirecting the user to an error page, the form page should display the backend validation errors inline, right above or below the submit button. It should behave identically to various signup pages on the Internet that provide warnings like "username is already taken" when you click the signup button. The server should process the request, then communicate the errors to the form.

I'm with Chad on this one. The feature has been nothing but a major pain since it was implemented, and we now turn it off first thing whenever we create a form.

1 0
replied on October 31, 2018

In previous versions of forms, we had code injection protection without dropping all the data. The biggest issue here is that data loss causes both the developer and the end users to lose confidence in the projects they are working on. If we are forced to turn it off anyways, is it really more secure?

Is there a way to prevent the data loss without disabling? I can't even track down the problems that cause it, I spent 10 hours trying to track it down on the first one. I looked through every field configuration, removed all javascript, deleted fields one by one, reviewed with Laserfiche on a remote session, and sent in to support. Turning it off is the only solution I have right now.

1 0
replied on March 5, 2019 Show version history

Thanks for the feature idea. I've included this idea in our Forms feature ingestion portal for review.

My three main takeaways from this are

  1. Better handling for backend errors (Chad, I know you've posted about this elsewhere)
    • Either give the user another chance to submit, omit the problem field, do something better than discarding the form with an error... 
  2. Set backend validation by field
    • It's generally 1/2 fields on the form that are going to run into backend validation errors. We should allow you to turn off validation for those few while keeping it on for the rest of the fields
  3. Turn backend validation off by default for new forms
    • Hopefully if we fix 1 and 2 correctly, we won't need to have it default to off. That said, I've included it as a user story in the ticket. 
0 0
replied on March 6, 2019

Thanks Jared! This was discarding submissions left and right for awhile until we were able to disable it. The designer would ask us what they did wrong, and I could never explain, all the fields looked to be configured correctly. It does seem to be related to customers favoring the calculation feature over javascript. We use a workflow that runs nightly to turn it off for all forms, in case any new ones were designed during the day.

0 0
replied on June 9, 2021

An ideal feature may be to offer an enable/disable checkbox option for each standard form submit button.  This would allow a Submit button to have backend validation and an Exit or Next button (as appropriate to the application) to allow closing the form without backend validation.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...