Possible to Save record with required fields not filled out #5349

New issue

Open

opened 2026-02-20 17:00:01 -05:00 by deekerman · 0 comments

deekerman commented

2026-02-20 17:00:01 -05:00

Owner

Originally created by @kale1d0code on GitHub (Oct 27, 2025).

Issue

It is possible for an end user to bypass checks for if a record should be allowed to save.
from an EditView

Possible Fix

It is considered bad practice to rely solely on JavaScript and client-side validation to verify POST submissions. Here's why:

Why Client-Side Validation Alone Is Not Enough?
Easily Bypassed: Users can disable JavaScript, manipulate requests using tools like Postman or browser devtools (like I did), or write custom scripts to send malicious data.

No Trust Boundary: The client is not a trusted environment. Anything on the client side can be altered, so you should never assume the data it sends is safe or valid.

Security Risks: Relying only on client-side checks opens the door to:
SQL injection
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)

Steps to Reproduce the Issue

Create module or modify a record type so that it has required fields which are visible in EditView
type into the console from EditView

var _form = document.getElementById('EditView'); _form.action.value='Save';
SUGAR.ajaxUI.submitForm(_form);

3....

Context

reduces trust in the CRM system and the data it stores

Version

7.14.6

What browser are you currently using?

Chrome

Browser Version

Version 136.0.7103.92 (Official Build) (64-bit)

Environment Information

PHP 8.1.30

Operating System and Version

Debian GNU/Linux 12 (bookworm)

Originally created by @kale1d0code on GitHub (Oct 27, 2025). ### Issue It is possible for an end user to bypass checks for if a record should be allowed to save. from an EditView ### Possible Fix It is considered bad practice to rely solely on JavaScript and client-side validation to verify POST submissions. Here's why: Why Client-Side Validation Alone Is Not Enough? Easily Bypassed: Users can disable JavaScript, manipulate requests using tools like Postman or browser devtools (like I did), or write custom scripts to send malicious data. No Trust Boundary: The client is not a trusted environment. Anything on the client side can be altered, so you should never assume the data it sends is safe or valid. Security Risks: Relying only on client-side checks opens the door to: SQL injection Cross-site scripting (XSS) Cross-site request forgery (CSRF) ### Steps to Reproduce the Issue 1. Create module or modify a record type so that it has required fields which are visible in EditView 2. type into the console from EditView ```javascript var _form = document.getElementById('EditView'); _form.action.value='Save'; SUGAR.ajaxUI.submitForm(_form); ``` 3.... ### Context reduces trust in the CRM system and the data it stores ### Version 7.14.6 ### What browser are you currently using? Chrome ### Browser Version Version 136.0.7103.92 (Official Build) (64-bit) ### Environment Information PHP 8.1.30 ### Operating System and Version Debian GNU/Linux 12 (bookworm)