When adding the obfuscate attribute to a DTX shortcode in a dynamic form tag, this will convert every character in the string to it’s ASCII integer value. This makes it more challenging for bots to scrape for sensitive data but allows values to continue being human readable.
For example, let’s protect the admin’s email address in hidden form field that you later plan on using in the form’s additional headers to Cc them. We would choose to use the DTX shortcode to get site info like this:
[dynamichidden send_to_admin "CF7_bloginfo key='admin_email'"]Then to add this additional layer of security, we simply add the obfuscate key and set it to 1 like this:
[dynamichidden send_to_admin "CF7_bloginfo key='admin_email' obfuscate='1'"]You can set it to any value except 0 because it just checks for a truthy value, so I usually just set it to 1 or on.
Custom Obfuscation Filter
The obfuscating feature is applied as a filter and advanced users may want to extend this functionality by adding their own custom obfuscation function. The filter sends one (1) parameter:
$value(mixed—the value to be obfuscated)
/**
* Custom DTX Obfuscate Filter
*
* @param mixed $value value to be sanitized
*
* @return string the modified value
*/
function custom_dtx_obfuscate($value = '')
{
// Do something cool to $value
return strval($value); // Always return the string value
}
add_filter('wpcf7dtx_obfuscate', 'custom_dtx_obfuscate', 10, 3);Disable DTX Obfuscating Filter
You can disable the default DTX obfuscating filter for all shortcodes that use it regardless of the attribute’s value by using this code snippet:
remove_filter('wpcf7dtx_obfuscate', 'wpcf7dtx_obfuscate', 10);Note: This only disables server-side obfuscating and will not disable obfuscating for fields with cache compatibility mode enabled.
Cache Compatibility
If the HTML of your webpage is being cached, preventing the server from processing the shortcode before displaying the form, then you can enable cache compatibility mode for any form tag using this attribute.
However, this attribute is unique in that it may not make an AJAX request. If using a built-in shortcode that can be dynamically retrieved on the client-side, it simply uses JavaScript to obfuscate the value too.
Note: obfuscated values inserted via JavaScript don’t appear to the user as intended. The functionality works and saves obfuscated in the database so emails, storage, and hidden fields are not affected. Only visible form fields that are intended to be read by humans are affected in that they show the obfuscated mumbo jumbo instead of the human-readable format.
View Source Code
View the current source code for the server-side filter or for the client-side JavaScript function.
