Vulnerability in EPiServer.Forms
We use IFormRepository.GetSubmissionData to obtain the submission data from Episerver Forms. We pass an array of Guid in strings, which works, the API returns us the related data. Though, under the Submission object, we would expect the Id string property to return the same thing as we initially passed to the method GetSubmissionData, but it's not. It's prefixed with an integer, then we can view the Guid:
To avoid confusion with developers, a submission shoud at least return the same ID or at most be stored in another propery or left inside an Identity object.
Unfortunately, since we had to group join both our items and the result from this API, our "hack" to overcome this inconsistency was similar to that:
Thank you for looking at that!