PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Unnecessary esc_html() in get_checkbox_choices()?

  1. Anonymous

    Using the hook 'populate_dropdown' I'm trying to set checkboxes with formatted HTML but am unable to because of what seems like an Unnecessary esc_html() on line 684 of common.php.

    It's possible that you really do need to run esc_html() for other contexts than the one I'm using but thus far I can't see why. Without being able to set HTML in the 'text' I can't provide formatting that would enable my list of checkboxes to be easily understood by my website visitors.

    An alternate would be to use an 'html' field and not escape it, if it contains a value but continue to escape the 'text' field. Or provide a filter where I can make the changes myself.

    I need this site to go live ASAP and really don't want to hack your plugin unless I know you are going to make the change. Thanks in advance for your quick response.

    Posted 12 years ago on Sunday February 14, 2010 | Permalink
  2. The reason why HTML is being escaped is because currently Gravity Forms does not support a value/label option for drop downs, radio buttons, and check boxes so the value of the field cannot contain HTML.

    We plan on changing this in the future to enable the ability to have a separate value and at that time will probably enable the ability to have HTML in the label at that time.

    Posted 12 years ago on Monday February 15, 2010 | Permalink
  3. Anonymous

    Hi Carl,

    Thanks for the comment. I hear you that it doesn't support it (via admin console) but it does (inadvertently?) support it via hooks. Below is a function I'm using to present a list of categories and their descriptions to users, but the HTML I am using for formatting gets displayed on the page instead of affecting the formatting of the content as I intended.

    I hacked your plugin to make it work (i.e. I only removed the call to esc_html()) and it displays as I want it to but I don't like hacking someone else's code that will be upgraded in the future.

    Here's a simple thing; could you check a value in the field array and not escape the HTML if it exists and is false? (i.e. $field['esc_html']==false.) That way I can create forward compatible code....

    Thanks for considering.

    add_filter('gform_pre_render_2', 'populate_dropdown');
    function populate_dropdown($form){
      $args = array(
        'hide_empty' => false,
        'exclude' => 1, // 1 = Uncategorized
      $categories = get_categories($args);
      //Creating drop down item array.
      $items = array();
      //Adding post titles to the items array
      foreach($categories as $category) {
        $items[] = array(
          'value' => $category->slug,
          'text' => '<span class="category-name">' .
               $category->name .
             '</span>: <div class="category-description">' .
               $category->category_description .
          'isSelected' => false
      $items[] = array(
        'value' => 'other',
        'text'=>'<span class="category-name">Other</span>: '
          . '<div class="category-description">'
          . 'Something else? Tell us below.'
          . '</span>',
        'isSelected' => false
      foreach($form["fields"] as &$field)
        if(element_equals($field,'inputName','categories')) {
          $field["choices"] = $items;
      return $form;
    Posted 12 years ago on Monday February 15, 2010 | Permalink
  4. If you're just looking for "user friendly" text on the front end, you can do this pretty simply with just a few lines of jQuery... even with HTML content. Basically, you use the script to replace the html content of the label client side. I created a normal checkbox field with 4 options, simply labeled 1-4.

    admin screenshot

    I viewed the source and grabbed the unique classes for the labels (actually the parent list item) and replaced the label content based on inheritance from there.

    <script type="text/javascript" src=""></script>
      <script type="text/javascript">
      $(document).ready(function() {
      $('li.gchoice_9_1 label').html('I like option one because it is <a href="" target="_blank">awesome</a>.');
      $('li.gchoice_9_2 label').html('but I might like option two when you think of it');
      $('li.gchoice_9_3 label').html('option three is looking pretty good though');
      $('li.gchoice_9_4 label').html('and option four could do the trick');
      $('li#field_1_9 .gfield_description').insertAfter($('li#field_1_9 .gfield_label'));

    You'll notice that I actually repositioned the "gfield_desciption" div immediately below the main field label as well.

    Note: if you're already loading jQuery in your theme, you can omit the initial script reference.

    here's my sample form screenshot from the front end, and you'll see that the original value is still passed in the form - admin screenshot

    Posted 12 years ago on Tuesday February 16, 2010 | Permalink
  5. Anonymous

    Thanks. While I love jQuery for interactive functionality and have done a fair bit of it myself, I really dislike using it for simple formatting. It breaks when people have Javascript turned off and it causes page loads to be sluggish on slower computers. I'd far, far prefer to do that kind of coding in PHP on the server (where it was meant to be done! :)

    How about another solution? How about adding a 'gform_field_input' hook to get field input and instead of directly sprint()ing or returning you first pass through said filter?

    BTW, I'm not getting email notifications even though I check "Subscribe to this Topic via Email." Are your email notifications not working?

    Posted 12 years ago on Tuesday February 16, 2010 | Permalink
  6. We'll look into the subscribe to topics not working. We use a bbPress plugin for that so we will have to see whats going on.

    We aren't advocating jQuery as the right way to go for everything, however until certain features are added natively to Gravity Forms, sometimes it's the only option until we release updates to Gravity Forms.

    HTML is stripped from checkbox labels right now because until we implement value/label capabilities as a native feature to Gravity Forms, the label is used as the value for the checkbox.

    We do plan on changing this in one of the upcoming releases.

    Just keep in mind that while Gravity Forms is very mature, it is still very new. We are constantly adding new features and improving things and we still have a laundry list of features that we plan on introducing in the future.

    Posted 12 years ago on Tuesday February 16, 2010 | Permalink
  7. The jQuery solution was simply proposed as a bridge until we add this functionality in a future release. Nobody is advocating you use it if you don't like it, it's just another option.

    Posted 12 years ago on Tuesday February 16, 2010 | Permalink
  8. @Carl Hancock, why are labels having their HTML escaped when they are labels and not the value being submitted via $_POST? Remove esc_html from the labels in common.php and you instantly have "HTML" support, keep it in the value fields and all is good.

    Posted 12 years ago on Tuesday May 25, 2010 | Permalink
  9. @scott the labels are having their HTML escaped because the labels are used in a variety of places, not just the front end. They are used in numerous places in the admin for display where having HTML within them would cause issues with admin UI display.

    Posted 12 years ago on Wednesday May 26, 2010 | Permalink
  10. All that matters is the front end. Don't escape the HTML in the labels on the front end and I believe 99% of people's needs are filled.

    Posted 12 years ago on Wednesday May 26, 2010 | Permalink
  11. dbone

    Created this JS to use in the interim until support is added in core. Obviously change the identifier to the classes for your checkbox list in your form in the for loop.

    // Unescape
    for (i = 1; i <= 8; i++)
    	unescape_html("li.gchoice_21_" + i + " label");
    function unescape_html(node)
    	var escaped_string = $(node).html();
    function unescape_string(html)
    	var htmlNode = document.createElement("span");
    	htmlNode.innerHTML = html;
    	if(htmlNode.innerText !== undefined)
    	return htmlNode.innerText; // IE
    	return htmlNode.textContent; // FF

    Credit to Marcus Phillips on for the unescape_string function.

    Posted 12 years ago on Thursday June 3, 2010 | Permalink
  12. I just ran across this issue and I do agree it's a bit of a pain and I hate to rely on javascript but the admin editor certainly does break when you inject HTML.

    edit: I'm the big jerk that just broke the rules and edited my common.php lines 1054 and 1008 to remove the esc_html() function

    and js.php lines 2001-2004 to change \" to '

    str += "<li><input type='" + type + "' class='gfield_choice_" + type + "' name='choice_selected' id='choice_selected_" + i + "' " + checked + " onclick='SetFieldChoice(" + i + ");' />";
            str +=     "<input type='text' id='choice_text_" + i + "' value='" + field.choices[i].text + "' onkeyup=\"SetFieldChoice(" + i + ");\" class='field-choice-input field-choice-text' />";
            str +=     "<input type='text' id='choice_value_" + i + "' value='" + value + "' onkeyup=\"SetFieldChoice(" + i + ");\" class='field-choice-input field-choice-value' />";
            str +=     "<input type='text' id='choice_price_" + i + "' value='" + price + "' onchange=\"SetFieldChoice(" + i + ");\" class='field-choice-input field-choice-price' />";
    Posted 11 years ago on Wednesday November 17, 2010 | Permalink
  13. Just an update for those of you still looking to hack up gforms to allow this, as of RC3,

    in common.php:

    find 'public static function get_checkbox_choices($field, $value, $disabled_text){'

    at 1114: replace esc_html($choice["text"]) with $choice["text"]
    at 1145: replace esc_html($choice["text"]) with $choice["text"]

    in js.php:

    find 'function GetFieldChoices(field){'

    ~lines 2094-2101 replace \" with '

    Posted 11 years ago on Friday January 21, 2011 | Permalink