Development issueshttps://lab.civicrm.org/groups/dev/-/issues2023-12-07T09:30:02Zhttps://lab.civicrm.org/dev/wordpress/-/issues/140Event registration confirmation page no longer shown. Error: Could not find v...2023-12-07T09:30:02Zdarren.woodsEvent registration confirmation page no longer shown. Error: Could not find valid value for id.WordPress 6.2, Civi ESR 5.57.5.
The confirmation page after event registration is no longer shown (for both Test and Live links). Instead, the attached error is shown:-
![image](/uploads/602b80ebba49507af86158d362c9b164/image.png)
The ...WordPress 6.2, Civi ESR 5.57.5.
The confirmation page after event registration is no longer shown (for both Test and Live links). Instead, the attached error is shown:-
![image](/uploads/602b80ebba49507af86158d362c9b164/image.png)
The workaround is to embed the event registration page as a shortcode. However the confirmation page and confirmation emails show a link to the event info page, which then has the "Register" button taking people to the wrong page.
I'm wondering if this can be fixed, or if we need to override the confirmation and event info pages somehow to redirect users to the WordPress page (perhaps using a naming convention).
Thanks!https://lab.civicrm.org/dev/core/-/issues/4301FormBuilder: Allow placeholder text to be configured2023-05-24T06:34:31Zaydunsaidan.saunders@squiffle.ukFormBuilder: Allow placeholder text to be configuredIt would be nice to be able to specify placeholder text on form fields such as filters.It would be nice to be able to specify placeholder text on form fields such as filters.https://lab.civicrm.org/dev/core/-/issues/4300FormBuilder: Client-side email validation doesn't work2023-07-07T03:55:58ZkcristianoFormBuilder: Client-side email validation doesn't workThis is a follow up issue to https://lab.civicrm.org/dev/core/-/issues/4173 and relayed to https://lab.civicrm.org/dev/core/-/issues/4174#note_90537
Steps to Reproduce:
- Build WP site with latest CiviCRM - Cureently using WP 6.2.1 and...This is a follow up issue to https://lab.civicrm.org/dev/core/-/issues/4173 and relayed to https://lab.civicrm.org/dev/core/-/issues/4174#note_90537
Steps to Reproduce:
- Build WP site with latest CiviCRM - Cureently using WP 6.2.1 and CiviCRM 5.61.2
- Create a submission form with the following Fields - all required
- First Name
- Last Name
- Email
- Phone
Compete the form, but for email use `meatme` as the email address.
- expected behavior - fails validation
- Actual behavior form submits
Email validation not working client side or server side. I have confirmed this on WP and Drupal 7.
~~Possibly related - on phone or address - add a second item (second phone in my testing). Do not choose a location type. Form submits, but the record does not update CiviCRM. This behavior only exists on WP, I cannot reproduce on Drupal. I can break this out as another issue if needed. But adding here as I see this as validation failing.~~
EDIT: The location issue is fixed in WP with the master branch.
ping @eileen @colemanw @shaneonabike @JonGold As we all commented on original issue notifying and asking for feedback and comments on a possible way to fix.https://lab.civicrm.org/dev/core/-/issues/4298CiviMail - throw 400 (Bad Request) rather than 500 (Server Error) if public u...2023-07-27T17:17:06ZufundoCiviMail - throw 400 (Bad Request) rather than 500 (Server Error) if public url endpoints hit with bad parametersOverview
----------------------------------------
Urls for CiviMail public endpoints like `civicrm/mailing/open` have a few required parameters, identifying the user / url etc. How should we handle if params aren't valid?
Current behavi...Overview
----------------------------------------
Urls for CiviMail public endpoints like `civicrm/mailing/open` have a few required parameters, identifying the user / url etc. How should we handle if params aren't valid?
Current behaviour
----------------------------------------
Current standard behaviour Civi-wide for missing/invalid params is a `CRM_Core_Exception`, which in turn results in a 500 server error.
Proposed behaviour
----------------------------------------
I think a 400 Bad Request error is more appropriate, for the "public" CiviMail links in particular.
Comments
----------------------------------------
It also helps with detecting and blocking spammy click behaviour, which I've seen with random permutations of parameters and things like this.5.65.0https://lab.civicrm.org/dev/core/-/issues/4296FormBuilder filters suggestion: text filter as select2023-06-08T18:02:44Zaydunsaidan.saunders@squiffle.ukFormBuilder filters suggestion: text filter as selectOverview
----------------------------------------
For FormBuilder filters, it would be useful to have the option to turn `Text` into `Select`.
Example use-case
----------------------------------------
For a search return results like:
...Overview
----------------------------------------
For FormBuilder filters, it would be useful to have the option to turn `Text` into `Select`.
Example use-case
----------------------------------------
For a search return results like:
```
Org, Contact
------------
Org1, ContactA
Org1, ContactB
Org1, ContactC
Org2, ContactD
Org2, ContactE
```
you can add a filter on Org Display Name which is displayed as a text box.
It would be nice to be able to present this as a `Select` dropdown of 'Org1', 'Org2' etc (or even multi-select). The configuration for the filter provides a `Type` box with several options, so add a `Select` one to that (in addition to the existing `Text`).
The current text filter is a substring match which means that if one display name is a substring of another, you can't filter to just the shorter name. So eg 'Org1', 'Org1 - committee A', 'Org1 - committee B' you can't just show 'Org1'. Turning this into a `Select` should either exact match on the text string or convert to filtering by `id`.https://lab.civicrm.org/dev/core/-/issues/4295SearchKit - non-core legacy search tasks don't work with contributions2023-05-24T07:05:24ZufundoSearchKit - non-core legacy search tasks don't work with contributionsReproduction steps
----------------------------------------
1. Create a SearchKit with contribution entities
1. Enable an extension with a legacy search task (e.g. https://lab.civicrm.org/ufundo/ukgiftaid/-/tree/searchkit-actions )
1. Ta...Reproduction steps
----------------------------------------
1. Create a SearchKit with contribution entities
1. Enable an extension with a legacy search task (e.g. https://lab.civicrm.org/ufundo/ukgiftaid/-/tree/searchkit-actions )
1. Task appears in the ACTIONS menu for the contributions
2. But the popup when you click the action fails ( "Unable to reach the server. Please refresh this page in your browser and try again.")
Current behaviour
----------------------------------------
![image](/uploads/f8f841892e5741e9544b5797aa07fbfd/image.png)
```
We can't load the requested web page. This page requires cookies to be enabled in your browser settings. Please check this setting and enable cookies (if they are not enabled). Then try again. If this error persists, contact the site administrator for assistance.<br /><br />Site Administrators: This error may indicate that users are accessing this page using a domain or URL other than the configured Base URL. EXAMPLE: Base URL is http://example.org, but some users are accessing the page via http://www.example.org or a domain alias like http://myotherexample.org.<br /><br />Error type: Could not find a valid session key.
```
Expected behaviour
----------------------------------------
Action form should appear in the pop up.
Comments
----------------------------------------
`SearchDisplay::getSearchTasks` currently generates qfKey for legacy search task forms based on hard-coded class `CRM_Contribute_Controller_Task` in this line https://github.com/civicrm/civicrm-core/blob/a599e40ad27ebcd9d4b8e80bf0a5904983d5ee82/ext/search_kit/Civi/Api4/Action/SearchDisplay/GetSearchTasks.php#LL196C1-L196C77
This causes tasks using any other class controller fail due to the mismatch.
Couple of potential fixes incoming...ufundoufundohttps://lab.civicrm.org/dev/core/-/issues/4294Fix mailto links that get converted to traceable urls2023-06-19T23:31:10ZyashodhaFix mailto links that get converted to traceable urlsmailto links also get converted to trackable urls causing issues. Let's avoid doing that.mailto links also get converted to trackable urls causing issues. Let's avoid doing that.yashodhayashodhahttps://lab.civicrm.org/dev/core/-/issues/4293Uncaught SyntaxError: '#' not followed by identifier2023-11-23T07:47:01ZBastien HoUncaught SyntaxError: '#' not followed by identifierIn a contribution page, I get an `Uncaught SyntaxError: '#' not followed by identifier` error in the console.
Reproduction steps
----------------------------------------
1. Create a contribution page.
1. Insert it in a WordPress page.
1...In a contribution page, I get an `Uncaught SyntaxError: '#' not followed by identifier` error in the console.
Reproduction steps
----------------------------------------
1. Create a contribution page.
1. Insert it in a WordPress page.
1. Display the page.
1. Open the console of the navigator
In _templates/CRM/Contribute/Form/Contribution/Main.tpl_, the following lines are misinterpreted before being output:
```js
function useAmountOther() {
var priceset = {/literal}
{if $contriPriceset}'{$contriPriceset}'
{else}0
{/if}
{literal};
for (i = 0; i < document.Main.elements.length; i++) {
element = document.Main.elements[i];
if (element.type == 'radio' && element.name == priceset) {
if (element.value == '0') {
element.click();
} else {
element.checked = false;
}
}
}
}
```
In the source of the generated page:
```js
function useAmountOther() {
var priceset =
0
;
for (i = 0; i < document.Main.elements.length; i++) {
element = document.Main.elements[i];
if (element.type == 'radio' && element.name == priceset) {
if (element.value == '0') {
element.click();
} else {
element.checked = false;
}
}
}
}
```
Environment information
----------------------------------------
<!-- Some of the items below may not be relevant for every bug - if in doubt please include more information than you think is neccessary. -->
* __Browser:__ _Firefox 112_
* __CiviCRM:__ _5.61.2_
* __PHP:__ _8.0_
* __CMS:__ _WordPress 6.2_
* __Database:__ _MariaDB 10.5_
* __Web Server:__ _Apache 2.4_https://lab.civicrm.org/dev/core/-/issues/4292Add validation to verify html body content for empty text/ only image in mailing2023-05-24T06:23:56ZyashodhaAdd validation to verify html body content for empty text/ only image in mailingAdd validation to verify html body content for empty text (if img are used) and show the error accordingly.Add validation to verify html body content for empty text (if img are used) and show the error accordingly.yashodhayashodhahttps://lab.civicrm.org/dev/core/-/issues/4291Smarty variable tokens not correctly processed in message subject2023-09-24T22:40:26Zmagnolia61Smarty variable tokens not correctly processed in message subjectOverview
----------------------------------------
Smarty variable tokens are not processed in message subject
Reproduction steps
----------------------------------------
1. In a message template body html we have for instance {capture a...Overview
----------------------------------------
Smarty variable tokens are not processed in message subject
Reproduction steps
----------------------------------------
1. In a message template body html we have for instance {capture assign="firstname"}{contact.first_name}{/capture}
2. We use {$firstname} in the body.
3. We use {$firstname} in the subject.
4. When sending a email manually the subject token gets replaced.
5. When sending via scheduled reminders or civirules the subject token does not get replaced.
6. Worse: our automatic birthday mail batch (civirules) got firstnames of the previous contact (only in the subject)
Current behaviour
----------------------------------------
smart variables are sometimes not correctly replaced as a token in the message subject
Expected behaviour
----------------------------------------
smart variables are sometimes always correctly replaced as a token in the message subject
Environment information
----------------------------------------
- CiviCRM: 5.61.2
- CMS: Drupal 7.97
- PHP: 7.4.33 (fpm-fcgi)
- Database: 10.5.19-MariaDB-0+deb11u2-log engine: InnoDB 10 row format: Dynamic
- Webserver: Apache/2.4.56 (Debian)
- OS: Linux
Comments
----------------------------------------
I will doublecheck if this is only the case with civirules or also with the scheduled remindershttps://lab.civicrm.org/dev/core/-/issues/4290SearchKit: Return results faster by optimizing access check2023-05-15T08:14:11ZlarsssandergreenSearchKit: Return results faster by optimizing access checkThrough some testing, it looks like quite a bit of the execution time for SearchKit results on Compose Search, at least for relatively simple queries, is being spent checking the current user's access to edit or delete the specific entit...Through some testing, it looks like quite a bit of the execution time for SearchKit results on Compose Search, at least for relatively simple queries, is being spent checking the current user's access to edit or delete the specific entity for the View / Edit / Delete menu in the last column. It's not too bad with just 50 rows, but if you increase the page size to 100 or more, there's a pretty perceptible difference between checking the access and skipping that access check. I had a few thoughts about how we could improve this:
1. Since we aren't actually showing the links until the user clicks on the hamburger menu, we could just add the links as usual, but then check access in JS and only unhide those that the user has access to. This way we aren't doing 100 checkAccess API calls per page of 50 entities (one for update, one for delete). This would make the Compose Search page faster as well as any Displays that contain the same menu, but wouldn't help if there are links or buttons in a Display.
2. I think quite a few of the users accessing Compose Search probably have superadmin, so we could check that at the start of the process and then skip the access checks for each row.
3. Maybe it would make sense to make it possible to pass an array of ids to the checkAccess API. I don't know the details of how this works, but imagine that would speed up the process. At least for Contacts, there already is `allowList()`, so maybe this could be implemented just for Contacts without too much trouble.https://lab.civicrm.org/dev/core/-/issues/4289Multi record Profile forms not saving and redirecting on "Add New Record".2023-11-08T14:04:31Zdarren.woodsMulti record Profile forms not saving and redirecting on "Add New Record".Overview
----------------------------------------
Multi record Profile forms are no longer respecting the "Redirect URL" for the Profile:-
![image](/uploads/3b349b061965a160ec7a51cfab703972/image.png)
Reproduction steps
----------------...Overview
----------------------------------------
Multi record Profile forms are no longer respecting the "Redirect URL" for the Profile:-
![image](/uploads/3b349b061965a160ec7a51cfab703972/image.png)
Reproduction steps
----------------------------------------
1. Under "Administer/Custom Data and Screens/Display Preferences" deselect "Enable Popup Forms".
2. Create a multi record custom data group and add a field.
2. Create a Profile which exposes these fields as a standalone form, setting the "Redirect URL" to be a valid URL.
3. Embed this Profile in a WordPress page using a shortcode, e.g.: [civicrm component="profile" gid="16" mode="edit" hijack="0"]
4. View the Page and click "Add new record", enter some valid data and click "Submit button.
Current behaviour
----------------------------------------
Form data is not saved and user is redirected to /civicrm/profile/edit which results in a blank WordPress page.
Expected behaviour
----------------------------------------
Form data is saved and user is redirected to the Redirect URL.
Environment information
----------------------------------------
CiviCRM 5.61.2
WordPress 6.2
Comments
----------------------------------------
_Anything else you would like the reviewer to note._https://lab.civicrm.org/dev/core/-/issues/4287PHP 8 - Undefined variable warnings from Smarty appear in email notifications2023-11-14T01:40:49ZjasonhildebrandPHP 8 - Undefined variable warnings from Smarty appear in email notificationsOverview
----------------------------------------
We recently upgraded Civi to 5.60 and PHP 8 (was previously PHP 7.x). Our site uses Drupal 7.
Since the upgrade, we are seeing errors such as ```Undefined array key "phone_type"``` appe...Overview
----------------------------------------
We recently upgraded Civi to 5.60 and PHP 8 (was previously PHP 7.x). Our site uses Drupal 7.
Since the upgrade, we are seeing errors such as ```Undefined array key "phone_type"``` appearing in our email notifications to event participants.
![screenshot](/uploads/4cee73442124f9c2a3b1158e8925c1e7/screenshot.png)
We have taken action to suppress errors and warnings in Drupal, but this does not appear to help when smarty is used to render email notifications.
Expected behaviour
----------------------------------------
I would expect these warnings not to appear, or to be suppressible with setting, so that they can be turned off in production.
Workaround
-----------
As a workaround, I added the 3 lines marked below to civicrm/CRM/Core/TokenSmarty.php in order to suppress the warnings before rendering, then restore the error_reporting to the original setting after rendering.
Perhaps this kind of approach could be added to Civi with a configuration setting to turn these messages on/off.
```
// Evaluate/render templates
try {
if ($useSmarty) {
$orig_reporting = error_reporting(); // ADDED
error_reporting(0); // ADDED
CRM_Core_Smarty::singleton()->pushScope($smartyAssigns);
}
$tokenProcessor->evaluate();
foreach ($messages as $messageId => $ign) {
foreach ($tokenProcessor->getRows() as $row) {
$result[$messageId] = $row->render($messageId);
}
}
}
finally {
if ($useSmarty) {
CRM_Core_Smarty::singleton()->popScope();
error_reporting($orig_reporting); // ADDED
}
}
```https://lab.civicrm.org/dev/core/-/issues/4286Fatal error with managed custom groups containing duplicate field names2023-05-17T10:45:16ZAndrew WestFatal error with managed custom groups containing duplicate field namesOverview
----------------------------------------
I have two custom groups. Each contains a field titled 'Status'. In the database they have the same 'name': 'status'.
I want these groups to be managed entities. So I export both groups ...Overview
----------------------------------------
I have two custom groups. Each contains a field titled 'Status'. In the database they have the same 'name': 'status'.
I want these groups to be managed entities. So I export both groups using the 'export' command on the 'CustomGroup' entity. I set the export to match on 'name' - this seems the sensible field as users can't change it.
This helpfully exports everything I need: I get a .mdg.php file with each custom groups, their fields, and the fields' option values.
But when I enable the extension on a test machine I get a fatal error because of the duplicate 'name'.
The first field gets created fine, but when creating the second field it erroneously matches on the first one so thinks it exists already, and things go wrong from there.
The fix is to set the 'match' parameter on the managed entity to include the custom group name too:
```
'match' => [
'name','custom_group_id.name',
],
```
But you can't do this through the UI. The 'match' option on the CustomGroup Export action doesn't include fields from the CustomField entity (let alone the name).
Reproduction steps
----------------------------------------
1. Create a new extension with the two managed entities from [this gist](https://gist.github.com/awestuk/a9956427ce1937fcbd8fddeed675cef5)
2. Try to enable it
Environment information
----------------------------------------
* __CiviCRM:__ _5.60_ <!-- If this problem relates to an upgrade, then specify both old and new versions -->
* __PHP:__ _7.4_
Comments
----------------------------------------
I can fix it manually by changing the field names, or by manually adding the custom_group_id.name to the .mgd.php files. But I figure duplicate names are common enough to trip people up, and it was a tough one to debug, so I thought it was worth reporting.https://lab.civicrm.org/dev/core/-/issues/4283Search Kit did not install automatically (Civi 5.61.1 FR and Drupal 7.97.FR2023-05-25T13:23:57ZWebmasterBouclierSearch Kit did not install automatically (Civi 5.61.1 FR and Drupal 7.97.FROverview
----------------------------------------
Funny issue while doing a fresh installation of CiviCRM 5.61.1 FR on a Drupal 7.97 FR (not an upgrade). Search Kit is available in the extensions and indicatated as "Obligatoire" (mandato...Overview
----------------------------------------
Funny issue while doing a fresh installation of CiviCRM 5.61.1 FR on a Drupal 7.97 FR (not an upgrade). Search Kit is available in the extensions and indicatated as "Obligatoire" (mandatory). But it is not outlined in green as the other extensions allready installed. And there is no button to install it.
While trying to install Mosaico, system tell me that Search Kit needs to be installed before.
The Search Kit were not created in the Civi database.
More details and screenshots on chat.civicrm.org : [https://chat.civicrm.org/civicrm/pl/ea5osnwhrj855regwhjkbpse9y](https://chat.civicrm.org/civicrm/pl/ea5osnwhrj855regwhjkbpse9y)
Is this a bug in the installation process of SearchKit?
I solved the issue by using API3 install process, and that solved my problem.
But I understand that Search Kit should have installed itself automatically.
PHP 7.3
MySQL 5.7
Hosting OVH (France)https://lab.civicrm.org/dev/core/-/issues/4282Membership for regression in 5.612023-06-10T01:11:59ZeileenMembership for regression in 5.61Refer https://lab.civicrm.org/dev/core/-/issues/4272#note_90443 and
https://github.com/civicrm/civicrm-core/pull/26170Refer https://lab.civicrm.org/dev/core/-/issues/4272#note_90443 and
https://github.com/civicrm/civicrm-core/pull/261705.61.2https://lab.civicrm.org/dev/core/-/issues/4281`{help}` tags that don't specify the `file` parameter no longer work on windows2023-05-19T14:00:48ZDaveD`{help}` tags that don't specify the `file` parameter no longer work on windowsSeems to have broke in 5.57 with https://github.com/civicrm/civicrm-core/commit/d80e8fa62cad6661a0882753a8babf5512f9bb12. Now it just throws an error.
An example is on the activity form if you click the help bubble for assignee.
I see ...Seems to have broke in 5.57 with https://github.com/civicrm/civicrm-core/commit/d80e8fa62cad6661a0882753a8babf5512f9bb12. Now it just throws an error.
An example is on the activity form if you click the help bubble for assignee.
I see - it's because on windows it doesn't match the regex because it has `\` instead.5.63.0https://lab.civicrm.org/dev/core/-/issues/4280FormBuilder: Form with required "Existing Contact" can't be submitted2023-05-08T07:53:11ZJonGoldFormBuilder: Form with required "Existing Contact" can't be submittedOverview
----------------------------------------
If you put an "Existing Contact" field on a FormBuilder form, and make it required, you can't submit the form.
Reproduction steps
----------------------------------------
1. See above. ...Overview
----------------------------------------
If you put an "Existing Contact" field on a FormBuilder form, and make it required, you can't submit the form.
Reproduction steps
----------------------------------------
1. See above. Here is sample HTML/JSON for a simple case:
```json
{
"type": "form",
"title": "EntityRef required test",
"icon": "fa-list-alt",
"server_route": "civicrm/entityref-req",
"permission": "access CiviCRM",
"create_submission": true,
"requires": [],
"description": "",
"is_dashlet": false,
"is_public": false,
"is_token": false,
"entity_type": null,
"join_entity": null,
"contact_summary": null,
"summary_contact_type": null,
"redirect": null,
"navigation": null
}
```
```html
<af-form ctrl="afform">
<af-entity data="{contact_type: 'Organization', source: 'EntityRef required test'}" type="Contact" name="Organization1" label="Organization 1" actions="{create: true, update: true}" security="RBAC" />
<fieldset af-fieldset="Organization1" class="af-container" af-title="Organization 1">
<div class="af-container">
<af-field name="id" defn="{required: true, input_attrs: {}}" />
</div>
</fieldset>
<button class="af-button btn btn-primary" crm-icon="fa-check" ng-click="afform.submit()">Submit</button>
</af-form>
```
Current behaviour
----------------------------------------
```
Form Error
Please fill all required fields.
```
Expected behaviour
----------------------------------------
Form is submitted if the field is populated.https://lab.civicrm.org/dev/core/-/issues/4278Import "fill" doesn't respect location type for email/phone2023-05-04T22:10:09ZJonGoldImport "fill" doesn't respect location type for email/phoneOverview
----------------------------------------
If you use the "Fill" strategy for duplicate records in Contact Import, phone and email will be skipped if *any* phone/email exists, regardless of location type. Addresses import correct...Overview
----------------------------------------
If you use the "Fill" strategy for duplicate records in Contact Import, phone and email will be skipped if *any* phone/email exists, regardless of location type. Addresses import correctly.
Reproduction steps
----------------------------------------
1. Create a contact with a Home phone number.
1. Create a CSV with two columns - that contact's ID, and a Work phone number.
1. Import with the "Fill" strategy for duplicate records, matching on contact ID.
Current behaviour
----------------------------------------
Work phone number isn't imported.
Expected behaviour
----------------------------------------
Work phone number is imported.
Comments
----------------------------------------
Similar to https://lab.civicrm.org/dev/core/-/issues/4269 but amazingly is not a regression. This was fixed years ago for addresses, but not phones/email.5.63.0JonGoldJonGoldhttps://lab.civicrm.org/dev/core/-/issues/4276Using profile in create mode with dedupe rule allows for leaking of private i...2023-05-24T06:51:10ZlarsssandergreenUsing profile in create mode with dedupe rule allows for leaking of private informationOverview
----------------------------------------
An anonymous user filling in a profile who leaves fields blank in create mode with deduping enabled will be shown the existing values for those fields if a duplicate is found. So if you h...Overview
----------------------------------------
An anonymous user filling in a profile who leaves fields blank in create mode with deduping enabled will be shown the existing values for those fields if a duplicate is found. So if you have an unsupervised dedupe rule of email only, then anyone can enter a contact's email and leave the remaining fields blank. They will shown existing data for that contact for fields that appear on the profile. This creates the potential to leak private information to anyone who knows minimal information about a contact and potentially could be used maliciously to expose data.
Reproduction steps
----------------------------------------
1. Create a profile that includes the fields in the your unsupervised dedupe rule, plus any other fields desired.
1. Use the profile in create mode anonymously, filling in only the fields required to match to an existing contact and leaving the other fields empty.
1. After submitting the profile, you are shown all the data for the fields left blank for that existing contact.
Current behaviour
----------------------------------------
Profile fields that are submitted blank are shown with existing data on the profile confirmation screen.
Additionally, the confirmation page URL contains both the contact id and checksum for the matched contact, which could be used to access other profiles or forms, exposing additional data.
Expected behaviour
----------------------------------------
All profile fields should be shown exactly as submitted on the profile confirmation screen.
The confirmation page URL should not show the contact id and checksum for the matched contact.
Comments
----------------------------------------
Have marked this confidential, since there is a potential for malicious use.