Fields with type value not being processed
Have a field with the type "value"
$process_input = empty($element['#disabled']) && ($element['#type'] !== 'value') && (($form_state['programmed'] && $form_state['programmed_bypass_access_check']) || ($form_state['process_input'] && (!isset($element['#access']) || $element['#access'])));
This line has changed in 7.88 due to the security update. This part is added: ($element['#type'] !== 'value')
In our login form, we have the following code added (hook_form_alter):
$form['authentication_provider'] = array(
'#type' => 'value',
);
The field gets its #value later on in the code.
The field never gets process and the #value is empty because $process_input is false.
The following code works:
$form['authentication_provider'] = array(
'#type' => 'hidden',
);
What is the reasoning for not wanting to process "value", but "hidden" is okay? Shouldn't value be a more secured choice of type than hidden?
#type => value is an internal value never shown to the user, how can this be a security risk, since you dont want to process it?
Or am I missing the bigger picture here?
