Commit 0c45be46 authored by jenlampton's avatar jenlampton

Prevent CC data from ever touching the server.

parent 13176d7e
......@@ -148,6 +148,7 @@ function authorizenetwebform_form_webform_client_form_alter(&$form, &$form_state
'apiLoginID' => variable_get('authorizenetwebform_login', NULL),
'clientKey' => variable_get('authorizenetwebform_client_key', NULL),
'mapping' => array(),
'sensitive' => array(),
);
// Add Accept.js data attributes to each mapped field.
......@@ -173,26 +174,9 @@ function authorizenetwebform_form_webform_client_form_alter(&$form, &$form_state
'type' => 'setting'
);
// Validate handler.
$form['#validate'][] = 'authorizenetwebform_validate';
// Note: removing name attribute will prevent values from posting to the server.
// Submit handler. Adding it here the *second* submit handler.
$first = array_shift($form['#submit']);
array_unshift($form['#submit'], $first, 'authorizenetwebform_submit');
}
/**
* Webform validation handler.
*
* @see authorizenetwebform_form_webform_client_form_alter().
*/
function authorizenetwebform_validate($form, &$form_state) {
_authorizenetwebform_sanitize($form_state['values']['submitted']);
dpm('form values submitted');
dpm($form_state['values']['submitted']);
array_unshift($form['#submit'], $first, 'authorizenetwebform_webform_client_form_submit');
}
/**
......@@ -200,7 +184,7 @@ function authorizenetwebform_validate($form, &$form_state) {
*
* @see authorizenetwebform_form_webform_client_form_alter().
*/
function authorizenetwebform_submit($form, &$form_state) {
function authorizenetwebform_webform_client_form_submit($form, &$form_state) {
// Do nothing if there are errors.
if (form_get_errors()) {
return $form_state;
......
......@@ -114,6 +114,17 @@
// Insert the data value into the hidden Transaction ID field.
$(context).find("[data-authnet-field--transaction_id]").val(responseData.dataValue);
// Remove the name attributes to prevent values from touching the server.
var sensitive = ['cardNumber', 'cardCode', 'month', 'year'];
for (var key in Drupal.settings.authorizeNetWebform.mapping) {
if (jQuery.inArray(key, sensitive) !== -1) {
var attribute = Drupal.settings.authorizeNetWebform.mapping[key];
if ($webform.find("[" + attribute + "]")) {
$webform.find("[" + attribute + "]").removeAttr('name');
}
}
}
// Submit the webform when done.
$(context).find("[data-authnet-form]").submit();
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment