Last Updated on February 16, 2018 by Neil Murray
User only see Visual interface at WordPress admin back-end. Unauthorized user can't access it. We can do data sanitation from JavaScript and/or WordPress. WordPress has built in functions to work with that before saving Visual data into database.
Refer:
- Contact Form 7 Normalizing.
- https://codex.wordpress.org/Data_Validation.
- Issue #178 Data Sanitation for Input.
CF7 tag generator does rule for each input using JavaScript before inserting shortcode tag into the form. The validation is placed at this file tag-generator.js. Rules is applied after user click outside edited input field. For example, for class attribute field, user can type <span>test</span>, but after click outside input, it becomes spantestspan.
Sanitization Rules
Basic sanitation should follow one or both methods:
- WordPress side validation and sanitation routines.
- Visual side validation.
Input Types
Sanitation rules for each input type:
- Name cf7Name — {string + number, lowercase}.
- Label cf7sLabel — {string}.
- Options cf7Options — {array}.
- Checkbox cf7DefaultOn, cf7Exclusive, cf7Invert, cf7IncludeBlank, cf7Placeholder, cf7UseLabelElement, cf7LabelFirst, cf7AkismetAuthor, cf7AkismetAuthorUrl, cf7AkismetAuthorEmail — {boolean}.
- Select cf7TagType, cf7sFieldSpan, cf7sReady, cf7sFieldSpan — {string/integer}.
- Content cf7sContent — {string}. No support for HTML at this stage. Refer BB issue #187 paragraph-field-content.
- Default value cf7Values— {string}.
- Date range cf7Min, cf7Max — {string date}.
- Number range cf7Min, cf7Max, cf7Limit — {integer}.
- Id cf7IdAttribute — {string}.
- Class cf7ClassAttribute — {string}. Refer sanitize_html_class.
CF7_Skins_Visual_Admin.create_element()
This is the place for creating CF7 Skins Tags with PHP DOM with sanitation rules:
- Fieldset label
cf7sLabel, useswp_strip_all_tags(). - Paragraph content
cf7sContent, sanitized withinVisual.validateOnBlur(). - List Ready class
cf7sReady, usesesc_attr(). - Button text
cf7sLabel, usesesc_attr().
CF7_Skins_Visual_Admin.create_cf7_tags()
To create CF7 form tag/shortcode based on Visual item properties with sanitation rules follow Input Types above.
I'll check and create a list for what we've done within WP side for sanitation.
* Saving to WP
*Parsing from JS/React.