One of the developers in my client’s team found out that it’s possible to create additional inputs on Webflow websites on a client’s side — basically, it’s enough to use the “Inspect” feature in Google Chrome and edit the website’s code.
I’m not sure if it’s a mistake on my end because I just added a “form” element and use native Webflow forms (the issue persists even while using custom forms’ integrations such as MailerLite) — I didn’t test it myself on other Webflow websites but I’m sure this problem exists on every Webflow website.
So as you can see on the screenshot above, there is a new field that was created by adding bits of the website’s code. Plus, the developer was able to bypass the required “Email” field.
You may ask: “Why is it bad? I mean a user can add a new input field so what?” Well, here comes a scary part:
- It can break an automation process if a website uses Zapier, Integromat, n8n, et cetera.
- Some shady users can bypass spam filters and required fields
- It’s just not cool to mess up your form table
- I was talking only about contact forms — now, imagine what happens if there is a signup form
I’m not gonna dive deep into details about how to create new input and send it because, well, reasons? However, I hope someone from the Webflow team will respond to this message. And I really hope it’s a mistake on my end so I just did forget to enable some toggles or whatever.
FYI, I recommended my client to host the website on Webflow and we are doing it right now.