Hi @sinapars
I apologize for the slow response – I wanted to double-check this with our lead developer before getting back to you.
He has confirmed that what you see is not a security problem – this is because atext field is totally open and we make sure code isn’t vulnerable to SQL injection, and it’s escaped/filtered when it is shown.
Dropdowns support an “Other” option, so they are open fields.
A lot of our users will use filters to dynamically set options, or jQuery, custom scripts, etc, so it’s much safer to allow the value being sent in the form regardless of value than losing it entirely and having no value set at all.
When users want better control of their submissions, we offer fully control of custom validation rules using snippets. Below is an example that will force all dropdown fields to only allow the exact set of options that were set in the form:
function only_allow_set_options_in_dropdown( $errors, $field, $value ) {
$target_field_id = 2492; // change this
if ( $target_field_id === (int) $field->id ) {
$values = wp_list_pluck( $field->options, ‘value’ );
if ( ! in_array( $value, $values, true ) ) {
$errors[ ‘field’ . $field->id ] = ‘Invalid dropdown valid detected’;
}
}
return $errors;
}
add_filter( ‘frm_validate_select_field_entry’, ‘only_allow_set_options_in_dropdown’, 10, 3 );`
I hope that helps clarify things.
Best,
