Security measures built into Form Forge and recommendations for developers extending it.
Input Sanitization
Every submitted field value is sanitized through FORMFORGE_Field_Types::sanitize() which applies type-specific sanitization:
| Field Type | Sanitization Function |
|---|---|
text, password | sanitize_text_field() |
email | sanitize_email() |
url | esc_url_raw() |
textarea | sanitize_textarea_field() |
number, range, rating | absint() or floatval() |
html_block | wp_kses_post() |
| All others | sanitize_text_field() |
Nonce Verification
Every form submission verifies a WordPress nonce to prevent CSRF attacks:
php
check_ajax_referer( 'formforge_nonce', 'nonce' );SQL Injection Prevention
All database queries use $wpdb->prepare() with parameterized placeholders:
php
$wpdb->get_results( $wpdb->prepare(
"SELECT * FROM {$table} WHERE form_id = %d AND status = %s",
$form_id, 'new'
) );XSS Prevention
All output uses WordPress escaping functions:
php
esc_html( $field['label'] );
esc_attr( $field['id'] );
esc_url( $file_url );
wp_kses_post( $html_content );Capability Checks
Admin endpoints verify manage_options capability. Public endpoints (submission, templates) have appropriate access controls.
—