Prefilling input values is broken

  • sdundee

    (@sdundee)


    9 months ago

    Your documentation specifies how form values can be prefilled:

    https://help.formassembly.com/help/prefill-through-the-url

    This was especially useful for one of our clients, who had a key hidden field that needed a value for forms to function correctly.

    To achieve this, we were using the shortcode to inject the custom values via query parameters (as outlined in the docs page above), e.g.

    [formassembly formid=123456?customid=abc123 server="https://example.tfaforms.net"]

    Unfortunately the most recent plugin update has broken this. This is because you have implemented validation that converts “formid” into an integer.

    Line 61 of wp-content/plugins/formassembly-web-forms/wp_formassembly.php:

    $fa_id = absint($atts['formid']);

    And Line 65 of wp-content/plugins/formassembly-web-forms/wp_formassembly.php:

    $fa_id = absint($atts['workflowid']);

    Previously you were not using absint

    I appreciate that adding this filtering/type checking is best practice, but there is currently no other way to pass through custom query parameters to forms embedded using the shortcode. This is a regression, as it is still possible to pass through custom query parameters when, for example, implementing a custom iframe embed for a form.

    I would suggest that you add another custom attribute to the shortcode that allows for passing through custom query parameters to the form embed.

    Is this project open source and on Github? If so I’d be happy to submit a PR for this issue if that is helpful.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author FormAssembly

    (@veerwest)

    8 months, 4 weeks ago

    Thank you for reporting this in detail.

    The absint change was required to pass security checks, ensuring only integer IDs are accepted and reducing injection risks. For now, we don’t plan to add a shortcode attribute for arbitrary query parameters, as that would face similar concerns.



    Thread Starter sdundee

    (@sdundee)

    8 months, 3 weeks ago

    Can I please ask which security checks this was implemented to pass? Are these related to wordpress.org in some way?

    to be blunt it is an unusual and frustrating situation where there is functionality explicitly outlined in your documentation that is incompatible with this WordPress integration. I don’t really understand how implementing this functionality in custom embed code is really any different to implementing it on a shortcode?

    • This reply was modified 8 months, 3 weeks ago by sdundee.
Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Prefilling input values is broken’ is closed to new replies.