I’ve noticed that building a MakeForm with excluded fields still outputs all of the fields to HTML - the excluded fields are of type ’hidden’. For my money, this is a potential security risk.
Is there a way to truly prevent the excluded fields from being output as HTML?
I can see how to hack the MakeForm Class to accomplish this. I would change this (line 116):
if (!$isRelated && in_array($key, $this->exclude)) {
$meta['hidden']= 1;
} elseif ($isRelated && in_array(strtolower($elementClass) . '.' . $key, $this->exclude)) {
$meta['hidden']= 1;
}
$value= $object->get($key);
$this->buildElementFromObject($elements, $elementClass, $elementKey, $foreignKey, $key, $value, $meta);
To this:
if (!$isRelated && in_array($key, $this->exclude)) {
$meta['hidden']= 1;
} elseif ($isRelated && in_array(strtolower($elementClass) . '.' . $key, $this->exclude)) {
$meta['hidden']= 1;
}else{
$value= $object->get($key);
$this->buildElementFromObject($elements, $elementClass, $elementKey, $foreignKey, $key, $value, $meta);
}
But I’m not sure how this would affect using the MakeForm object. Also, core hacks are generally out for me. Is there a way to extend the MakeForm Class and re-define the _setFormObject() function?
