PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

How to stop users entering HTML?

  1. davejmason
    Member

    I have a field where users must input a YouTube url, however some of them keep putting in the HTML embed code. I don't like the fact that anybody could submit HTML code directly onto my site. How can I disable this?

    Perhaps just disabling characters such as < and > would do it?

    Posted 6 years ago on Friday July 5, 2013 | Permalink
  2. David Peralty
    Administrator

    If you had used the Website field for taking the URL, then they would be receiving an error if they tried to add HTML to that field. If it is just a generic input field, then you'll have to create your own validation. http://www.gravityhelp.com/documentation/page/Gform_field_validation

    Posted 6 years ago on Friday July 5, 2013 | Permalink
  3. Richard Vav
    Administrator

    David's correct, if you are using a website field and have 'Output HTML5' set to 'Yes' on the Gravity Forms general settings page then you should see an error like this http://i.imgur.com/TsIVuyG.png if you try and enter a youtube embed code for example.

    Posted 6 years ago on Friday July 5, 2013 | Permalink
  4. davejmason
    Member

    Yes unfortunately I can't use the website field as I need to output to a custom field within the theme. Is it possible to copy the validation code used for the website field in gravity forms? Or am I overlooking something (I'm not great at coding but I'm learning!)

    D

    Posted 6 years ago on Friday July 5, 2013 | Permalink
  5. Richard Vav
    Administrator

    The validation error produced for the website field actually comes from the browser as it is part of the HTML5 standard that the browser developers have implemented for the url type input. You would have to create your own validation using the gform_field_validation filter David linked to in his reply above.

    Posted 6 years ago on Friday July 5, 2013 | Permalink
  6. Phil
    Member

    If your form is creating a post, and the YouTube url form field will populate a custom field for the post, you might try something like this:

    1. Using the form editor, create a "Custom Field" (found among the "Post Fields").
    2. Under this new field's Properties tab, select "Website" from the "Field Type" dropdown. Now this field will undergo validation as url, possibly first by the browser due to the HTML5 setting Richard mentioned, but then because GFFormDisplay::validate() (in form_display.php) will see that this field's inputType is 'website' and will thus check GFCommon::is_valid_url() (in common.php).
    3. Then, select your "Custom Field Name" (still under the "Properties" tab). With the "Existing" radio button checked, this dropdown should include the name of your youtube url custom field, so long as you've previously saved at least one post with a value for that custom field (otherwise the custom field appears nowhere in the wp_postmeta table, whose meta_key entries are used to populate the "Custom Field Name" list). Or, perhaps you could choose the "New" radio button, if that approach better suits your needs.

    If you weren't intending to save the field value to a post's custom field, you may still find you could use a regular website field (not necessarily the "Custom Field" of website inputType), just to benefit from the related validation, then use the gform_after_submission hook to grab the field value and perform whatever actions you wish.

    Posted 6 years ago on Saturday July 6, 2013 | Permalink

This topic has been resolved and has been closed to new replies.