Streaming live at 10am (PST)

Webflow’s security breach or a mistake on my end?

Hi Webflowers!

One of the developers in my client’s team found out that it’s possible to create additional inputs on Webflow websites on a client’s side — basically, it’s enough to use the “Inspect” feature in Google Chrome and edit the website’s code.

I’m not sure if it’s a mistake on my end because I just added a “form” element and use native Webflow forms (the issue persists even while using custom forms’ integrations such as MailerLite) — I didn’t test it myself on other Webflow websites but I’m sure this problem exists on every Webflow website.

So as you can see on the screenshot above, there is a new field that was created by adding bits of the website’s code. Plus, the developer was able to bypass the required “Email” field.

You may ask: “Why is it bad? I mean a user can add a new input field so what?” Well, here comes a scary part:

  1. It can break an automation process if a website uses Zapier, Integromat, n8n, et cetera.
  2. Some shady users can bypass spam filters and required fields
  3. It’s just not cool to mess up your form table
  4. I was talking only about contact forms — now, imagine what happens if there is a signup form

I’m not gonna dive deep into details about how to create new input and send it because, well, reasons? However, I hope someone from the Webflow team will respond to this message. And I really hope it’s a mistake on my end so I just did forget to enable some toggles or whatever.

FYI, I recommended my client to host the website on Webflow and we are doing it right now.

Webflow forms are just client-side forms that submit the data to Webflow’s backend, where you get a notification and an entry to view in the admin for that particular form. Validation is client-side using HTML5 form elements and regex if desired. There is zero validation on the server-side. Most third-party form processors that integrate to Webflow work this way since nothing has to be predefined on the server side. If you want server-side validation, you need to use a form processor that supports creating the form on the backend like Jotform, Typeform, etc. then embed it on your site. Fields are then predefined, and validation rules are as well.

Webflow chooses to handle form processing with client-side simplicity. I imagine that is because it’s flexible for designers to just add an input field whenever they want without a trip to the backend. It also means that they don’t have to build a complete form processing service and forms can easily be enabled on exported sites. I have heard chatter about improvements to Webflow’s form handling in the pipeline but have zero details.

When I need more robust validation and handling, I use an appropriate third-party form processor.

1 Like

Thanks a lot for such an extensive reply @webdev!

I didn’t know that Webflow native forms work like that — I guess if some of my clients will be worried about such a thing then I’ll suggest using third-party solutions.

Not sure if it’s a huge problem but I can imagine that some jerks who know a thing or two about coding can F-up the website’s automation just like that. Well, I didn’t know that it’s possible to do so easily for a long time, so I guess it’s not a huge issue.

Thanks for the reply one more time!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.