Enterprise Forms store data unencrypted

Dennis_Vonk · January 14, 2020, 8:55am

Hi,

My client uses Enterprise Forms to get information from the customer and supply that to various backend systems. I think there is a flaw in this mechanism and I would like to address it here.

With AVG it isn’t allowed to store customer details without their consent. What Enterprise Forms does is store all the captured data in “/formdata”. BUT that is done without encrypting the data.

I think it would be good if BR provided the option (maybe even as default behavior) to encrypt this data. What do you think, is that a viable changerequest?

Regards
Dennis

jasper.floor · January 14, 2020, 9:47am

As you may know, /formdata is required to support the PRG pattern used in forms. It should be possible to encrypt this. Storing formdata is done by the eforms component, so you could also write it yourself if you can’t wait for an improvement.

It should also suffice to inform the user the data may be stored, even temporarily.

I don’t honestly see much point in encrypting the data. The server needs to be able to decrypt it to have it be useful.

Dennis_Vonk · January 14, 2020, 11:59am

Thanks for reacting, Jasper.

And of course, when encrypting, one should also decrypt the data to be able to use it. That speaks for itself.

So if we want to implement this, we need to implement this in the eforms compontent for storing.
And which component to use for retreiving before displaying in the htmlm, so I can decrypt there, ready to be used by all my components? Is there a generic class for that does this?

jasper.floor · January 14, 2020, 12:58pm

You’re looking to override the behavior in the doAction method of the EformComponent. At the end it does a storeFormMap. The map is being built up before this from the submit. So you can encrypt it there while building the form map. Note that this is an abstract class, so you will have to override the more specific instances you may be using. This will be configured on the specific hst:configuration component node.

Also enter an improvement issue in our Jira. I’m not saying we will pick this up, and I’m not saying we won’t. But it will get more attention if you make a formal improvement request.

If you make your own implementation you could fork and do a pull request. For your own use I would just extend and override the EformComponent.

jasper.floor · January 14, 2020, 1:00pm

Forgot to mention, the decrypt is in the doBeforeRender of the EformComponent. retrieveFormMap gets the stored form (if any). You can then decrypt it.

Mind you, server side validation may not work wel on encrypted data.

Dennis_Vonk · January 14, 2020, 1:31pm

Thanks Jasper, appreciate the input!

Dennis_Vonk · February 4, 2020, 7:31am

I made a formal request to Bloomreach, you can fnd it here:
https://issues.onehippo.com/browse/CMS-12511

Topic		Replies	Views
Enterprise EForms - Custom Plugin - Example	1	223	May 4, 2023
Customize E form for demo Experience Manager (PaaS/OnPrem)	2	578	July 5, 2021
Unable to get Form attributes through resource api for SPA Experience Manager (PaaS/OnPrem)	3	631	January 14, 2020
Enterprise form pluggable behavior Experience Manager (PaaS/OnPrem)	14	741	March 11, 2021
Eforms: hide standard inputfields in eforms editor Experience Manager (PaaS/OnPrem)	1	309	April 4, 2023

Enterprise Forms store data unencrypted

Related Topics