To reproduce:
1.) Create a new project, and place a form in it. Don’t put in a custom action url or method, leave defaults
2.) Export code
3.) Unpublish site
4.) Open up exported code locally in browser (or other hosting) and fill out form
You will notice the form submission still goes through and is listed in the Project settings under the ‘form’ setting.
It looks like the issue is that in that webflow.js file, there is logic to set a form action URL and Method if none are listed. I unminified it, and on lines 1148 - 1288 there is functionality that relates to this. Specifically on line 1218 it seems is where the action URL is injected. Here are some screenshots:
This is an issue for when clients are self-hosting (generally for security reasons). Webflow advertises that forms will not work after unpublishing. This is not the case, and it’s an obvious security issue if a client’s form data is being sent to Webflow’s servers (and thus viewable by me, or the person who originally built the Webflow site) when it shouldn’t be.
Expected Behavior
1.) If a site is unpublished, then the form submission will not go through, and no form data will be stored/viewable from the Webflow dashboard
