Update: the sanitization changes have been reverted, see the version 2.12.0 release notes.
Quform version 2.11.1 is now available, grab it by going to Forms → Settings → License & Updates → Check for updates, it’s also available for download on CodeCanyon.
In these two updates we have implemented a sanitization fix and fixed a few bugs.
You may have noticed that Quform disappeared from CodeCanyon for a period from 21 May to 22 May, this was a temporary issue that is now resolved. Before version 2.11.0, Quform allowed you to add
<script> tags into the form if the user had the capability to add unfiltered HTML to the site (unfiltered_html) e.g. administrator users. Envato required us to stop allowing this, so these tags are now removed when the form is saved. There are 3 places in the form builder where the HTML is now filtered, so if you are using
<style> tags in the form, you may need to make some adjustments.
Confirmation success message
Notification content fields
At Edit Form → Settings → Notifications, the Message (HTML) and Message (plain text) fields in the notification settings are now filtered. Any
<style> tags will be removed from these fields, you can use inline styles or create the email content in PHP for full control.
HTML element content
In the settings for the HTML element, the Content field is now filtered. Any
<style> tags will be removed when the form is saved, these can be moved to the fields at Forms → Settings → Custom CSS & JS (without the HTML tags).
Make a backup
If in doubt, make a full database backup before saving any form. Then you’ll always have a copy of the HTML code you currently have, should you need to restore it. Also please contact us if you need any help converting any code so that it works outside of these form options.
- Fixed an error submitting the form in Chrome 83
- Added HTML sanitization to the HTML element, notification content and confirmation content fields – it’s no longer possible to have SCRIPT or STYLE tags in these options – we recommend you back up your database before saving any form to avoid any loss of HTML code within the forms
- Fixed the disable CSS/JS options for Fancybox 3
- Fixed tags displaying in Textarea editor when editing entries