UWEX
Member
We run a MultiSite network and our users lack the ability to use code such as iframe, embed, and <script> in their pages/posts.
Unfortunately, via either the HTML "question" type, the form's Description, or even any question's description, it appears that people can do this stuff. :(
Is there an easy way to strip out the same potentially dangerous content from all these sections that WordPress strips out by default for non-super-admins?
You could use the gform_pre_render filter to escape those fields, but that hook only runs on the front end. So they would be still be executed in the form editor.
I am not sure we will have a completely secure solution for this problem.
add_filter("gform_pre_render", test_render);
function test_render($form){
$form["description"] = esc_html($form["description"]);
foreach($form["fields"] as &$field){
$field["description"] = esc_html($field["description"]);
}
return $form;
}