To keep our users safe, Contact Form 7 – Dynamic Text Extension (DTX) sanitizes and escapes all data before inserting them as the value or placeholder of a contact form.
When escaping data, DTX attempts to identify the type of the value and will use sanitize_email(), sanitize_url(), sanitize_key(), and sanitize_title() where applicable.
Advanced users may want to extend this functionality by adding their own custom escaping. The filter sends four (4) parameters:
$value(string—the value to be sanitized)$obfuscate(boolean—whether or not the value should be obfuscated, default isfalse)$type(string—the type of sanitation to return, the default isautowhere automatic identification will be used to attempt to identify URLs and email addresses vs text)$protocols(array|string|false—specify protocols to allow either as an array of string values or a string value of comma separated protocols, the default is booleanfalsewhere DTX’s default uses onlyhttpandhttpsprotocols)
Example of Custom Escaping
/**
* Custom DTX Escape Filter
*
* @param string $value value to be escaped
* @param bool $obfuscate Optional. If true, returned value should be obfuscated. Default is false.
* @param string $type Optional. The type of escape to return. Default is `auto` where automatic identification will be used to attempt to identify URLs and email addresses vs text.
* @param array|string $protocols Optional. Specify protocols to allow either as an array of string values or a string value of comma separated protocols.
*
* @return string the modified value
*/
function custom_dtx_escape($value = '', $obfuscate = false, $type = 'auto', $protocols = false)
{
// Do something cool to $value
return $value;
}
add_filter('wpcf7dtx_escape', 'custom_dtx_escape', 10, 4);Applying DTX Escaping in Custom Shortcodes or Filters
If you’re writing a custom shortcode or modifying a built-in shortcode’s output, we highly recommend returning an escaped value to keep your website safe. If you want to use DTX’s escaping filter to do that, simply apply the filter as you return it like this:
return apply_filters('wpcf7dtx_escape', $value);You can pass up to four (4) parameters to the DTX escaping filter to modify how escaping is performed, including whether or not to obfuscate the value, which escaping method to use, and what protocols you want to allow for URL escaping.
Additional escaping examples with DTX
If $value is a multi-line text you’re using to prefill a textarea element and you do not want it obfuscated:
return apply_filters('wpcf7dtx_escape', $value, false, 'textarea');If $value is a URL like https://example.com and you want it obfuscated:
return apply_filters('wpcf7dtx_escape', $value, true, 'url');If $value is a URL but you also want to allow specific protocols like mailto, tel, and sms (see documentation on allowed protocols), while also obfuscating it.
return apply_filters('wpcf7dtx_escape', $value, true, 'url', array('http', 'https', 'mailto', 'tel', 'sms'));Disable DTX Escaping Filter
While it’s highly discouraged as this could put your website, database, or users at risk to allow unfiltered data, you can disable the filter using this code snippet:
remove_filter('wpcf7dtx_escape', 'wpcf7dtx_escape', 10);View Source Code
View the current source code. This feature was introduced in version 3.3.0 of the Contact Form 7 – Dynamic Text Extension WordPress plugin.
