It would be useful to allow tokens in the redirect URL and confirmation message fields, allowing users to quickly build the frequently requested "receipt"-like page. While Webform 3 has a lot of useful tokens such as %email_values and %value[key], some additional tokens would likely be required to make this truly useful. Some obviously required tokens need for URLs:

%nid
%sid
%uid

In addition, because tokens would easily allow otherwise secure information about a submission to be exposed, Webform should lock-down the node/x/done page so that only users that have completed the submission are able to view that page.

Comments

shaneforsythe’s picture

Version: » 6.x-2.9

The information leak I think is the biggest issue rather then &sid=[nnn] , should be the option for webform to store SID as a md5hash (or in a seperate field, store the hash) ... and the sid referenced in the url is to a hash

quicksketch’s picture

Status: Active » Closed (duplicate)
quicksketch’s picture

Status: Closed (duplicate) » Fixed
StatusFileSize
new1.47 KB
new1.77 KB

The basic functionality of this patch is really quite simple so I've gone ahead and committed the basics. I'm opening a new issue for the new tokens for %nid, %sid, and %uid.

quicksketch’s picture

Title: Allow tokens in confirmation message and redirect URL fields » Allow tokens in the redirect URL field
quicksketch’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.