On listing search pages, HivePress filter JS includes all hidden inputs present in the DOM in the generated query string, even when those inputs are not associated with the filter form (e.g., TrustedForm hidden fields for CF7 modals). Can I scope serialization strictly to the filter form’s successful controls or provide a hook/selector to explicitly exclude names like xxTrustedForm*?
Please provide more details for reproducing the issue and we’ll try to help, do you mean that HivePress generates hidden inputs in the filter form based on the query string, or vice versa (adds query parameters to the query string based on all the fields in the DOM)?
Thanks
We have a hidden field included on a contact form that appears in a modal on all pages on the site. The hidden field is a signed url that is passed on form submission. If a user performs a search or selects a filter on our listing directory pages, the resulting url includes the hidden form signed url after the search parameters
https://exampledomain.com/?post_type=hp_listing&_category=308&s=&state=191&xxTrustedFormCertUrl=https%3A%2F%2Fcert.trustedform.com[redacted]&xxTrustedFormToken=https%3A%2F%2Fcert.trustedform.com[redacted]&xxTrustedFormPingUrl=https%3A%2F%2Fping.trustedform.com[redacted]
I was able to successfully dynamically strip this when it occurs, however I was wondering if there is a way to prevent the leak from occuring.
Thanks for the details. Please make sure that this model form is outside the filter/sort forms, I checked the JS code and there seem to be no functions that may cause this. The search filters and sort forms mirror each other (to keep the parameters in the URL when these forms are used separately), but they should not fetch fields from external forms in the HTML.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.