PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Prepopulating Input not being Escaped

Gravity Support Forums » Plugin Support » Gravity Forms User Registration Add-On

  1. SwankIBS
    Member

    We have a user registration field for our members to update their bio on the front end. We noticed recently that quote's weren't being properly escaped causing an error.

    Turns out this issue is in userregistration.php in the prepopulate_input function (lines 3225 - 32310.

    Replacing:

    public function prepopulate_input($input_id, $value) {
        $filter_name = 'gfur_field_' . str_replace('.', '_', $input_id);
        add_filter("gform_field_value_{$filter_name}", create_function("", "return '$value';"));

        return $filter_name;
    }

    with:

    public function prepopulate_input($input_id, $value) {
        $value = str_replace("'", "\'", str_replace("\\", "\\\\", $value));
        $filter_name = 'gfur_field_' . str_replace('.', '_', $input_id);
        add_filter("gform_field_value_{$filter_name}", create_function("", "return '$value';"));

        return $filter_name;
    }

    Fixes the issue on our end. Please consider using this or a better solution!

    Posted 11 years ago on Tuesday January 8, 2013 | Permalink

  2. Chris Hajer
    Key Master

    Which version of the User Registration add-on are you using? We might have already fixed this issue in a later, unreleased version. Let us know what your version is.

    Posted 11 years ago on Tuesday January 8, 2013 | Permalink