• Skip to main content

Victor Font Consulting Group, LLC

The DEX Intranet Specialists

Call Us:

+1 919-604-5828

  • Home
  • Care Plans
    • Care Articles
    • Optional Subscriptions
  • Consultations
  • Products
    • Code Snippets
    • Public GitHub Repositories
    • Gist Snippets
    • Pastebin Snippets (Free)
    • Free Plugins
  • FAQs
  • Support
    • Graphic Design
  • Contact
    • Speakers
    • Portfolio
  • Resources
    • Free WordPress Video Training
    • Tutorials
    • Articles
    • Cybersecurity
    • EU Referral Network
You are here: Home / Code Snippet / Formidable Pro & 3rd Party Shortcodes

Formidable Pro & 3rd Party Shortcodes

By Victor M. Font Jr.
June 10, 20153 Comments

formidable-pro-250x250If you've been reading articles on this site for any length of time, then you know that we're big fans of Formidable Pro to build forms in WordPress. And in a spirit of full disclosure, we proudly admit that we are affiliate marketers for the product.

You may also be aware that we've been promising for quite some time to post a long overdue tutorial on how to build beautifully rendered tabbed or accordion forms with Formidable Pro. We apologize for not having the tutorial up yet, but work has been keeping us very busy.

Today, one of our associates, Carson Longo, was working on a heavily customized client project, he found that the recent Formidable Pro 2.0.8 update seemingly broke the site's tabbed interface forms. (If we had only read the changelog!)

As it turns out Formidable Pro wasn't broken at all. In May, G0blin Research discovered that earlier versions of Formidable Pro exposed a limited vulnerability that the development team deemed serious enough to provide a fix. They said:

Due to a do_shortcode call on line 816, in the file formidable/classes/controllers/FrmFormsController.php, it is possible to execute arbitrary short codes. Although due to URL encoding the scope of this vulnerability is limited, it could be possible to leverage this vulnerability to gain access to other plugins sensitive short codes, possibly leading to disclosure of CSRF [Cross-Site Request Forgery] tokens, or other sensitive data.

This vulnerability would also allow an attacker to test to see whether a certain short code is available or not, and as such determine if a particular plugin is installed.

Kudos to Stephanie Wells for squashing the vulnerability and releasing an update within a week of its discovery! But now the secure Formidable Pro won't render 3rd party shortcodes without an override tweak added to your theme's functions.php file. Our tabbed interface forms make heavy use of the very capable Squelch Tabs and Accordions plugin, which uses shortcodes to render the tab features.

Again, thanks to Stephanie, we were able to fix the issue and none of our clients were significantly impacted. Stephanie provided us with a Beta version of Formidable Pro, version 2.0.9 to be exact. Along with the Beta came a code snippet we could add to our theme's functions.php file that would override the security fix to allow shortcodes that are embedded in a form's custom HTML to properly execute. The code, modified to support the Squelch Tabs and Accordions plugin, is below. You also need the 2.0.9 Beta of Formidable Pro, which you can download here: https://formidableforms.com/knowledgebase/manual_downloads/, provided you have a Formidable Pro support account.

/* this is custom code required for Formidable Pro 2.0.9 and higher */
/* if you use the Squelch Tabs and Accordions plugin */
/* to create a tabbed interface for your forms */
/* add this to the bottom of your theme's functions.php file. */

add_filter( 'frm_filter_final_form', 'filter_squelch_tabs' );

function filter_squelch_tabs( $form ) {
	global $shortcode_tags;
	$original_shortcodes = $shortcode_tags;
	$limited_shortcodes = array( 
	'tabs' => $shortcode_tags['tabs'], 'subtabs' => $shortcode_tags['subtabs'],'subsubtabs' => $shortcode_tags['subsubtabs'],
	'tab' => $shortcode_tags['tab'], 'subtab' => $shortcode_tags['subtab'], 'subsubtab' => $shortcode_tags['subsubtab'],
	'toggles' => $shortcode_tags['toggles'], 'subtoggles' => $shortcode_tags['subtoggles'], 'subsubtoggles' => $shortcode_tags['subsubtoggles'],
	'toggle' => $shortcode_tags['toggle'], 'subtoggle' => $shortcode_tags['subtoggle'], 'subsubtoggle' => $shortcode_tags['subsubtoggle'],
	'accordions' => $shortcode_tags['accordions'], 'subaccordions' => $shortcode_tags['subaccordions'], 'subsubaccordions' => $shortcode_tags['subsubaccordions'],
	'accordion' => $shortcode_tags['accordion'], 'subaccordion' => $shortcode_tags['subaccordion'], 'subsubaccordion' => $shortcode_tags['subsubaccordion'],
	'haccordions' => $shortcode_tags['haccordions'], 'subhaccordions' => $shortcode_tags['subhaccordions'], 'subsubhaccordions' => $shortcode_tags['subsubhaccordions'],
	'haccordion' => $shortcode_tags['haccordion'], 'subhaccordion' => $shortcode_tags['subhaccordion'], 'subsubhaccordion' => $shortcode_tags['subsubhaccordion']
	);
	$shortcode_tags = $limited_shortcodes;
	$form = do_shortcode( $form );
	$shortcode_tags = $original_shortcodes;
	return $form;
}

add_filter( 'frm_do_html_shortcodes', '__return_false' );
  • 1share
  • Facebook0
  • Twitter0
  • Pinterest0
  • LinkedIn1
  • Print
  • SMS0

About Victor M. Font Jr.

Victor M. Font Jr. is an award winning author, entrepreneur, and Senior IT Executive. A Founding Board Member of the North Carolina Executive Roundtable, he has served on the Board of Advisors, of the North Carolina Technology Association, the International Institute of Business Analysis, Association of Information Technology Professionals, Toastmasters International, and the North Carolina Commission for Mental Health, Developmental Disabilities, and Substance Abuse Services. He is author of several books including The Ultimate Guide to the SDLC and Winning With WordPress Basics, and Cybersecurity.

Reader Interactions

VictorFont.com runs on the Genesis Framework

Genesis FrameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple—start using Genesis now!

Click here to download The Genesis Guide for Absolute Beginners (PDF - 1.4 MB)

Leave a Reply Cancel reply

Your email address and website will not be published. Required fields are marked *
Posting a comment means that you agree with and accept our Comment & Product Review Policy

Comments

  1. Jordan

    August 31, 2015 at 2:23 am

    Hi Victor, will this still work with v2.0.11? I cannot get it to work for the life of me!

    Reply
    • Victor M. Font Jr.

      August 31, 2015 at 7:43 am

      Hi Jordan,

      Yes, it still works. However, it does slow down a form’s rendering significantly. I have since removed the shortcodes from some of my forms and added the HTML directly to the form. I suggest you open a support ticket with the Formidable Pro. They are very responsive.

      Reply
  2. Matt Lowe

    June 11, 2015 at 11:44 am

    Hi Victor, glad you resolved your issue and are able to keep using our plugin! :)

    Reply

Call: +1 919-604-5828

Send us an E-mail

Accessibility Statement | Affiliate Marketing Disclosure | Capability Statement

Cookie Policy | Comment & Product Review Policy | Privacy Policy | Site Map | Terms & Conditions

Copyright © 2003–2023 Victor M. Font Jr.

Return to top of page