Cleansing HTML from Submitted Data

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Jonathan Martínez

    (@jonathanenlared)

    Hey @jreedpasd

    Could you share more details about the issue that you’re experiencing?

    Best,

    Thread Starter jreedpasd

    (@jreedpasd)

    Not necessarily an issue but we have a contact form that includes first name, last name, etc. Our security consultants tested the form and used html code like <a >Jason</a> within the first name text field.

    When we received the notification from the contact form, the html code came through as a hyperlink. Our security team sees this as a vulnerability with the plugin since its not cleansing the html code. They see this as someone could submit a link hoping someone would click on it and send them to a malicious website.

    Plugin Support Njones35

    (@njones35)

    Hi @jreedpasd

    Hyperlinks are not usually considered malicious HTML and because of this are automatic sanitization. In many web forms hyperlinks need to be allowed simply for the form to function the way the owner intended.

    That said, the Pro version of our plugin has conditional logic features that can display a warning and disable the submit button when a hyperlink is added.

    We can only support the Lite plugin here, but if you are a Pro user or would like further presale information about this Pro feature, could I ask you please to open a ticket in our helpdesk here: https://formidableforms.com/new-topic/

    Thank you!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Cleansing HTML from Submitted Data’ is closed to new replies.