Victor Font Consulting Group, LLC

The DEX Intranet Specialists

Call Us:

+1 919-604-5828

You are here: Home / Code Snippet / Formidable Pro & 3rd Party Shortcodes

Formidable Pro & 3rd Party Shortcodes

By
3 Comments

formidable-pro-250x250If you've been reading articles on this site for any length of time, then you know that we're big fans of Formidable Pro to build forms in WordPress. And in a spirit of full disclosure, we proudly admit that we are affiliate marketers for the product.

You may also be aware that we've been promising for quite some time to post a long overdue tutorial on how to build beautifully rendered tabbed or accordion forms with Formidable Pro. We apologize for not having the tutorial up yet, but work has been keeping us very busy.

Today, one of our associates, Carson Longo, was working on a heavily customized client project, he found that the recent Formidable Pro 2.0.8 update seemingly broke the site's tabbed interface forms. (If we had only read the changelog!)

As it turns out Formidable Pro wasn't broken at all. In May, G0blin Research discovered that earlier versions of Formidable Pro exposed a limited vulnerability that the development team deemed serious enough to provide a fix. They said:

Due to a do_shortcode call on line 816, in the file formidable/classes/controllers/FrmFormsController.php, it is possible to execute arbitrary short codes. Although due to URL encoding the scope of this vulnerability is limited, it could be possible to leverage this vulnerability to gain access to other plugins sensitive short codes, possibly leading to disclosure of CSRF [Cross-Site Request Forgery] tokens, or other sensitive data.

This vulnerability would also allow an attacker to test to see whether a certain short code is available or not, and as such determine if a particular plugin is installed.

Kudos to Stephanie Wells for squashing the vulnerability and releasing an update within a week of its discovery! But now the secure Formidable Pro won't render 3rd party shortcodes without an override tweak added to your theme's functions.php file. Our tabbed interface forms make heavy use of the very capable Squelch Tabs and Accordions plugin, which uses shortcodes to render the tab features.

Again, thanks to Stephanie, we were able to fix the issue and none of our clients were significantly impacted. Stephanie provided us with a Beta version of Formidable Pro, version 2.0.9 to be exact. Along with the Beta came a code snippet we could add to our theme's functions.php file that would override the security fix to allow shortcodes that are embedded in a form's custom HTML to properly execute. The code, modified to support the Squelch Tabs and Accordions plugin, is below. You also need the 2.0.9 Beta of Formidable Pro, which you can download here: https://formidableforms.com/knowledgebase/manual_downloads/, provided you have a Formidable Pro support account.

/* this is custom code required for Formidable Pro 2.0.9 and higher */
/* if you use the Squelch Tabs and Accordions plugin */
/* to create a tabbed interface for your forms */
/* add this to the bottom of your theme's functions.php file. */

add_filter( 'frm_filter_final_form', 'filter_squelch_tabs' );

function filter_squelch_tabs( $form ) {
	global $shortcode_tags;
	$original_shortcodes = $shortcode_tags;
	$limited_shortcodes = array( 
	'tabs' => $shortcode_tags['tabs'], 'subtabs' => $shortcode_tags['subtabs'],'subsubtabs' => $shortcode_tags['subsubtabs'],
	'tab' => $shortcode_tags['tab'], 'subtab' => $shortcode_tags['subtab'], 'subsubtab' => $shortcode_tags['subsubtab'],
	'toggles' => $shortcode_tags['toggles'], 'subtoggles' => $shortcode_tags['subtoggles'], 'subsubtoggles' => $shortcode_tags['subsubtoggles'],
	'toggle' => $shortcode_tags['toggle'], 'subtoggle' => $shortcode_tags['subtoggle'], 'subsubtoggle' => $shortcode_tags['subsubtoggle'],
	'accordions' => $shortcode_tags['accordions'], 'subaccordions' => $shortcode_tags['subaccordions'], 'subsubaccordions' => $shortcode_tags['subsubaccordions'],
	'accordion' => $shortcode_tags['accordion'], 'subaccordion' => $shortcode_tags['subaccordion'], 'subsubaccordion' => $shortcode_tags['subsubaccordion'],
	'haccordions' => $shortcode_tags['haccordions'], 'subhaccordions' => $shortcode_tags['subhaccordions'], 'subsubhaccordions' => $shortcode_tags['subsubhaccordions'],
	'haccordion' => $shortcode_tags['haccordion'], 'subhaccordion' => $shortcode_tags['subhaccordion'], 'subsubhaccordion' => $shortcode_tags['subsubhaccordion']
	);
	$shortcode_tags = $limited_shortcodes;
	$form = do_shortcode( $form );
	$shortcode_tags = $original_shortcodes;
	return $form;
}

add_filter( 'frm_do_html_shortcodes', '__return_false' );

Reader Interactions

VictorFont.com runs on the Genesis Framework

Genesis FrameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple—start using Genesis now!

Click here to download The Genesis Guide for Absolute Beginners (PDF - 1.4 MB)

Leave a Reply

Your email address and website will not be published. Required fields are marked *
Posting a comment means that you agree with and accept our Comment & Product Review Policy

Comments

    • Hi Jordan,

      Yes, it still works. However, it does slow down a form’s rendering significantly. I have since removed the shortcodes from some of my forms and added the HTML directly to the form. I suggest you open a support ticket with the Formidable Pro. They are very responsive.

      Reply