Enterprise Forms store data unencrypted


My client uses Enterprise Forms to get information from the customer and supply that to various backend systems. I think there is a flaw in this mechanism and I would like to address it here.

With AVG it isn’t allowed to store customer details without their consent. What Enterprise Forms does is store all the captured data in “/formdata”. BUT that is done without encrypting the data.

I think it would be good if BR provided the option (maybe even as default behavior) to encrypt this data. What do you think, is that a viable changerequest?


As you may know, /formdata is required to support the PRG pattern used in forms. It should be possible to encrypt this. Storing formdata is done by the eforms component, so you could also write it yourself if you can’t wait for an improvement.

It should also suffice to inform the user the data may be stored, even temporarily.

I don’t honestly see much point in encrypting the data. The server needs to be able to decrypt it to have it be useful.

Thanks for reacting, Jasper.

And of course, when encrypting, one should also decrypt the data to be able to use it. That speaks for itself.

So if we want to implement this, we need to implement this in the eforms compontent for storing.
And which component to use for retreiving before displaying in the htmlm, so I can decrypt there, ready to be used by all my components? Is there a generic class for that does this?

You’re looking to override the behavior in the doAction method of the EformComponent. At the end it does a storeFormMap. The map is being built up before this from the submit. So you can encrypt it there while building the form map. Note that this is an abstract class, so you will have to override the more specific instances you may be using. This will be configured on the specific hst:configuration component node.

Also enter an improvement issue in our Jira. I’m not saying we will pick this up, and I’m not saying we won’t. But it will get more attention if you make a formal improvement request.

If you make your own implementation you could fork and do a pull request. For your own use I would just extend and override the EformComponent.

Forgot to mention, the decrypt is in the doBeforeRender of the EformComponent. retrieveFormMap gets the stored form (if any). You can then decrypt it.

Mind you, server side validation may not work wel on encrypted data.

Thanks Jasper, appreciate the input!