Unnecessary esc_html() in get_checkbox_choices()?

Gravity Support Forums » General » Feature Requests

Anonymous
Unregistered

Using the hook 'populate_dropdown' I'm trying to set checkboxes with formatted HTML but am unable to because of what seems like an Unnecessary esc_html() on line 684 of common.php.

It's possible that you really do need to run esc_html() for other contexts than the one I'm using but thus far I can't see why. Without being able to set HTML in the 'text' I can't provide formatting that would enable my list of checkboxes to be easily understood by my website visitors.

An alternate would be to use an 'html' field and not escape it, if it contains a value but continue to escape the 'text' field. Or provide a filter where I can make the changes myself.

I need this site to go live ASAP and really don't want to hack your plugin unless I know you are going to make the change. Thanks in advance for your quick response.

Posted 14 years ago on Sunday February 14, 2010 | Permalink
Carl Hancock
Administrator

The reason why HTML is being escaped is because currently Gravity Forms does not support a value/label option for drop downs, radio buttons, and check boxes so the value of the field cannot contain HTML.

We plan on changing this in the future to enable the ability to have a separate value and at that time will probably enable the ability to have HTML in the label at that time.

Posted 14 years ago on Monday February 15, 2010 | Permalink

Anonymous
Unregistered

Hi Carl,

Thanks for the comment. I hear you that it doesn't support it (via admin console) but it does (inadvertently?) support it via hooks. Below is a function I'm using to present a list of categories and their descriptions to users, but the HTML I am using for formatting gets displayed on the page instead of affecting the formatting of the content as I intended.

I hacked your plugin to make it work (i.e. I only removed the call to esc_html()) and it displays as I want it to but I don't like hacking someone else's code that will be upgraded in the future.

Here's a simple thing; could you check a value in the field array and not escape the HTML if it exists and is false? (i.e. $field['esc_html']==false.) That way I can create forward compatible code....

Thanks for considering.

add_filter('gform_pre_render_2', 'populate_dropdown');
function populate_dropdown($form){
  $args = array(
    'hide_empty' => false,
    'exclude' => 1, // 1 = Uncategorized
    );
  $categories = get_categories($args);
  //Creating drop down item array.
  $items = array();
  //Adding post titles to the items array
  foreach($categories as $category) {
    $items[] = array(
      'value' => $category->slug,
      'text' => '<span class="category-name">' .
           $category->name .
         '</span>: <div class="category-description">' .
           $category->category_description .
         '</span>',
      'isSelected' => false
    );
  }
  $items[] = array(
    'value' => 'other',
    'text'=>'<span class="category-name">Other</span>: '
      . '<div class="category-description">'
      . 'Something else? Tell us below.'
      . '</span>',
    'isSelected' => false
  );
  foreach($form["fields"] as &$field)
    if(element_equals($field,'inputName','categories')) {
      $field["choices"] = $items;
      break;
    }
  return $form;
}

Posted 14 years ago on Monday February 15, 2010 | Permalink

Kevin Flahaut
Administrator
If you're just looking for "user friendly" text on the front end, you can do this pretty simply with just a few lines of jQuery... even with HTML content. Basically, you use the script to replace the html content of the label client side. I created a normal checkbox field with 4 options, simply labeled 1-4.

admin screenshot

I viewed the source and grabbed the unique classes for the labels (actually the parent list item) and replaced the label content based on inheritance from there.
```
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js"></script>
  <script type="text/javascript">
  $(document).ready(function() {

  $('li.gchoice_9_1 label').html('I like option one because it is <a href="http://www.yoursite.com/awesome/" target="_blank">awesome</a>.');
  $('li.gchoice_9_2 label').html('but I might like option two when you think of it');
  $('li.gchoice_9_3 label').html('option three is looking pretty good though');
  $('li.gchoice_9_4 label').html('and option four could do the trick');

  $('li#field_1_9 .gfield_description').insertAfter($('li#field_1_9 .gfield_label'));

  });
 </script>
```
You'll notice that I actually repositioned the "gfield_desciption" div immediately below the main field label as well.

Note: if you're already loading jQuery in your theme, you can omit the initial script reference.

here's my sample form screenshot from the front end, and you'll see that the original value is still passed in the form - admin screenshot
Posted 14 years ago on Tuesday February 16, 2010 | Permalink
Anonymous
Unregistered

Thanks. While I love jQuery for interactive functionality and have done a fair bit of it myself, I really dislike using it for simple formatting. It breaks when people have Javascript turned off and it causes page loads to be sluggish on slower computers. I'd far, far prefer to do that kind of coding in PHP on the server (where it was meant to be done! :)

How about another solution? How about adding a 'gform_field_input' hook to get field input and instead of directly sprint()ing or returning you first pass through said filter?

BTW, I'm not getting email notifications even though I check "Subscribe to this Topic via Email." Are your email notifications not working?

Posted 14 years ago on Tuesday February 16, 2010 | Permalink
Carl Hancock
Administrator

We'll look into the subscribe to topics not working. We use a bbPress plugin for that so we will have to see whats going on.

We aren't advocating jQuery as the right way to go for everything, however until certain features are added natively to Gravity Forms, sometimes it's the only option until we release updates to Gravity Forms.

HTML is stripped from checkbox labels right now because until we implement value/label capabilities as a native feature to Gravity Forms, the label is used as the value for the checkbox.

We do plan on changing this in one of the upcoming releases.

Just keep in mind that while Gravity Forms is very mature, it is still very new. We are constantly adding new features and improving things and we still have a laundry list of features that we plan on introducing in the future.

Posted 14 years ago on Tuesday February 16, 2010 | Permalink
Kevin Flahaut
Administrator

The jQuery solution was simply proposed as a bridge until we add this functionality in a future release. Nobody is advocating you use it if you don't like it, it's just another option.

Posted 14 years ago on Tuesday February 16, 2010 | Permalink
sc0ttkclark
Member

@Carl Hancock, why are labels having their HTML escaped when they are labels and not the value being submitted via $_POST? Remove esc_html from the labels in common.php and you instantly have "HTML" support, keep it in the value fields and all is good.

Posted 14 years ago on Tuesday May 25, 2010 | Permalink
Carl Hancock
Administrator

@scott the labels are having their HTML escaped because the labels are used in a variety of places, not just the front end. They are used in numerous places in the admin for display where having HTML within them would cause issues with admin UI display.

Posted 14 years ago on Wednesday May 26, 2010 | Permalink
sc0ttkclark
Member

All that matters is the front end. Don't escape the HTML in the labels on the front end and I believe 99% of people's needs are filled.

Posted 14 years ago on Wednesday May 26, 2010 | Permalink

dbone
Member

Created this JS to use in the interim until support is added in core. Obviously change the identifier to the classes for your checkbox list in your form in the for loop.

// Unescape
for (i = 1; i <= 8; i++)
{
	unescape_html("li.gchoice_21_" + i + " label");
}

function unescape_html(node)
{
	var escaped_string = $(node).html();
	$(node).html(unescape_string(escaped_string));
}

function unescape_string(html)
{
	var htmlNode = document.createElement("span");
	htmlNode.innerHTML = html;
	if(htmlNode.innerText !== undefined)
	return htmlNode.innerText; // IE
	return htmlNode.textContent; // FF
}

Credit to Marcus Phillips on http://erlend.oftedal.no/blog/?blogid=14 for the unescape_string function.

Posted 14 years ago on Thursday June 3, 2010 | Permalink

m4change
Member

I just ran across this issue and I do agree it's a bit of a pain and I hate to rely on javascript but the admin editor certainly does break when you inject HTML.

edit: I'm the big jerk that just broke the rules and edited my common.php lines 1054 and 1008 to remove the esc_html() function

and js.php lines 2001-2004 to change \" to '

str += "<li><input type='" + type + "' class='gfield_choice_" + type + "' name='choice_selected' id='choice_selected_" + i + "' " + checked + " onclick='SetFieldChoice(" + i + ");' />";
        str +=     "<input type='text' id='choice_text_" + i + "' value='" + field.choices[i].text + "' onkeyup=\"SetFieldChoice(" + i + ");\" class='field-choice-input field-choice-text' />";
        str +=     "<input type='text' id='choice_value_" + i + "' value='" + value + "' onkeyup=\"SetFieldChoice(" + i + ");\" class='field-choice-input field-choice-value' />";
        str +=     "<input type='text' id='choice_price_" + i + "' value='" + price + "' onchange=\"SetFieldChoice(" + i + ");\" class='field-choice-input field-choice-price' />";

Posted 14 years ago on Wednesday November 17, 2010 | Permalink

m4change
Member

Just an update for those of you still looking to hack up gforms to allow this, as of RC3,

---
in common.php:

find 'public static function get_checkbox_choices($field, $value, $disabled_text){'

at 1114: replace esc_html($choice["text"]) with $choice["text"]
at 1145: replace esc_html($choice["text"]) with $choice["text"]

------
in js.php:

find 'function GetFieldChoices(field){'

~lines 2094-2101 replace \" with '

Posted 13 years ago on Friday January 21, 2011 | Permalink