Formidable Pro & 3rd Party Shortcodes

If you've been reading articles on this site for any length of time, then you know that we're big fans of Formidable Pro to build forms in WordPress. And in a spirit of full disclosure, we proudly admit that we are affiliate marketers for the product.

You may also be aware that we've been promising for quite some time to post a long overdue tutorial on how to build beautifully rendered tabbed or accordion forms with Formidable Pro. We apologize for not having the tutorial up yet, but work has been keeping us very busy.

Today, one of our associates, Carson Longo, was working on a heavily customized client project, he found that the recent Formidable Pro 2.0.8 update seemingly broke the site's tabbed interface forms. (If we had only read the changelog!)

As it turns out Formidable Pro wasn't broken at all. In May, G0blin Research discovered that earlier versions of Formidable Pro exposed a limited vulnerability that the development team deemed serious enough to provide a fix. They said:

Due to a do_shortcode call on line 816, in the file formidable/classes/controllers/FrmFormsController.php, it is possible to execute arbitrary short codes. Although due to URL encoding the scope of this vulnerability is limited, it could be possible to leverage this vulnerability to gain access to other plugins sensitive short codes, possibly leading to disclosure of CSRF [Cross-Site Request Forgery] tokens, or other sensitive data.

This vulnerability would also allow an attacker to test to see whether a certain short code is available or not, and as such determine if a particular plugin is installed.

Kudos to Stephanie Wells for squashing the vulnerability and releasing an update within a week of its discovery! But now the secure Formidable Pro won't render 3rd party shortcodes without an override tweak added to your theme's functions.php file. Our tabbed interface forms make heavy use of the very capable Squelch Tabs and Accordions plugin, which uses shortcodes to render the tab features.

Again, thanks to Stephanie, we were able to fix the issue and none of our clients were significantly impacted. Stephanie provided us with a Beta version of Formidable Pro, version 2.0.9 to be exact. Along with the Beta came a code snippet we could add to our theme's functions.php file that would override the security fix to allow shortcodes that are embedded in a form's custom HTML to properly execute. The code, modified to support the Squelch Tabs and Accordions plugin, is below. You also need the 2.0.9 Beta of Formidable Pro, which you can download here: https://formidableforms.com/knowledgebase/manual_downloads/, provided you have a Formidable Pro support account.

/* this is custom code required for Formidable Pro 2.0.9 and higher */
/* if you use the Squelch Tabs and Accordions plugin */
/* to create a tabbed interface for your forms */
/* add this to the bottom of your theme's functions.php file. */

add_filter( 'frm_filter_final_form', 'filter_squelch_tabs' );

function filter_squelch_tabs( $form ) {
	global $shortcode_tags;
	$original_shortcodes = $shortcode_tags;
	$limited_shortcodes = array( 
	'tabs' => $shortcode_tags['tabs'], 'subtabs' => $shortcode_tags['subtabs'],'subsubtabs' => $shortcode_tags['subsubtabs'],
	'tab' => $shortcode_tags['tab'], 'subtab' => $shortcode_tags['subtab'], 'subsubtab' => $shortcode_tags['subsubtab'],
	'toggles' => $shortcode_tags['toggles'], 'subtoggles' => $shortcode_tags['subtoggles'], 'subsubtoggles' => $shortcode_tags['subsubtoggles'],
	'toggle' => $shortcode_tags['toggle'], 'subtoggle' => $shortcode_tags['subtoggle'], 'subsubtoggle' => $shortcode_tags['subsubtoggle'],
	'accordions' => $shortcode_tags['accordions'], 'subaccordions' => $shortcode_tags['subaccordions'], 'subsubaccordions' => $shortcode_tags['subsubaccordions'],
	'accordion' => $shortcode_tags['accordion'], 'subaccordion' => $shortcode_tags['subaccordion'], 'subsubaccordion' => $shortcode_tags['subsubaccordion'],
	'haccordions' => $shortcode_tags['haccordions'], 'subhaccordions' => $shortcode_tags['subhaccordions'], 'subsubhaccordions' => $shortcode_tags['subsubhaccordions'],
	'haccordion' => $shortcode_tags['haccordion'], 'subhaccordion' => $shortcode_tags['subhaccordion'], 'subsubhaccordion' => $shortcode_tags['subsubhaccordion']
	);
	$shortcode_tags = $limited_shortcodes;
	$form = do_shortcode( $form );
	$shortcode_tags = $original_shortcodes;
	return $form;
}

add_filter( 'frm_do_html_shortcodes', '__return_false' );