Documentation

These hidden attributes don't fully behave like other attributes. Here are a few things to know

 

No 'Required" option

Because making hidden attributes required would make it impossible to submit the form, the option to make them required in a form has been removed altogether to avoid problems.

Tampering prevention

Attribute fields are replaced with hidden fields. The system does everything it can to prevent tampering with the data to some extent.

For instance, if an attribute is set as non-editable after the first submission, it will check that the value submitted is indeed the already existing one and keep that one.

It is not perfect but it does the trick in most situations.

Visually hidden or really hidden

When a hidden attribute is set to be only "visually hidden" it means that the input will be a normally visible input (checkbox, text box...) but will be visually hidden using CSS styling.

The idea behind this is to have fields that bots will be tempted to fill (think honey pots). Real users, including those using screen readers, will not see or be aware of them. The input label is also omitted to avoid screen readers even more.

On the other hand, really hidden attributes will mean the input will be of type "hidden" so they will be ignored even by bots.

Only the Boolean and Fixed Value hidden attributes can be made Visually hidden.

Of course, when attributes are only visually hidden, the system allows users to tamper with them as it's kind of the point.

Also when an attribute is only visually hidden, it will inform you in the form's report of what value was expected and what value you got instead if they are different.

Warning about Visually Hidden Fixed value attributes

To make a visually hidden attribute even more enticing to a bot, you can choose to make it an email, URL, or phone number input. Bots rely on input types to know how to fill them, most of the time they do not rely on labels that are too random.

Be warned that because browsers do form validation on those inputs, if a bot fills one of them with an erroneous value, the form will not submit and the browser will show an error message right above the invisible attribute. Weird...

Of course, for bots, it's probably not a big deal since they don't actually see the screen but keep that in mind.

Hidden Dynamic Attribute with input markup

When using the Dynamic Hidden Attribute type you have the option to add markup attributes to it. You can add class names, IDs, tag attributes... Anything you want.

This is here in case you need to set the input's value using JavaScript.

BEWARE: if you use that option the system will decide automatically the submitted data should not be checked for tampering and will allow any value. Keep that in mind.