Blocking links in text field not working [RESOLVED]

I see this topic has been asked/answered a few times, but I have someone who is somehow bypassing our gform_field_validation code and we’re still getting form submissions with links (URLs) in the text field.

Oddly, our code works if I test it using our forms - I get the expected error message and am not able to submit the form (in fact all of our forms since we don’t have any fields that request a URL) BUT I regularly (several times daily) get forms submitted containing them.

Here’s the code I’m using and as mentioned it works perfectly when I test:

add_filter( 'gform_field_validation', 'custom_validation', 10, 4 );
function custom_validation( $result, $value, $form, $field ) {
	if ( $result['is_valid'] && preg_match('/\b(?:(?:https?|ftp|http):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i', $value ) ) {
		$result['is_valid'] = false;
		$result['message'] = 'Please remove URLs';
	return $result;

Since I can’t get my own tests to fail, I can’t figure how they are getting around it but they most definitely are… I am attaching a screenshot of a recent submission email.

Is it possible that bots are somehow bypassing using the actual form and submitting directly using a script in the GF plugin? If that’s how they’re doing it, what can I do to stop it?

Any help would be very gratefully welcomed!

Hi Trisha. What is the 'embed URL" in the entry for one of these that seemingly bypassed your validation?

Also, you can add logging statements to your code to see exactly what is being evaluated, and why it’s failing to detect links when it does. First, you will need to enable logging, in order for any of the rest of this to be useful.

Here is an article on how to add custom logging statements to your code:

I recommend logging the $value and the $field and also after any conditional check to see if you made it into a conditional section of your code or not. Please let us know what you find out.

I’m sorry Lewis, I don’t understand your reply …I assume you mean adding pointer-events:none to the CSS for the DIV that contains the form, but I don’t understand “This will allow clicking the links behind it.” …which links, and behind what are you referring to? :thinking:

Thank you Chris for the suggestion on the logging…I read that page and am not 100% sure of how to setup custom logging (as I’m not a coder)…the original code I have above was provided by Karl.

It seems like what I need is the section titled " Logging field validation errors". I’m not using any conditional statement for this, it’s just that code in my functions.php file and it applies to every field on every form. I’ll try to work my way through the logging and report back.

And as mentioned, when I test all of our forms and try to enter a URL into any field, I get the error message every single time…so I just don’t know how these are getting thru…I don’t see how a real person on our site could do it, so I suspect some bot that is accessing the form processing script directly somehow and not even using the form itself.

As for the “embed URL” do you mean the page that the form(s) appear on? The website is and we have two forms that appear on every Resort page, one is a request for a quote form, the other is an ‘ask me a question’ form below the first one. This person/bot is continually using the “ask me” form and even though the same ‘ask me’ form is in use on every resort page, for some reason they are always sending the form from the same page, here:

The fact that my tests fail and that they are (almost) always using that page is what leads me to suspect some backdoor way of getting through.

Hi Trisha. The Embed URL can be found on every entry in the right hand info panel. It looks like this:

That will let us know where the forms are being submitted from. Let’s start there with one of the entries they were able to slip by with links in the text.

Ah ha…that is the clue I needed…now I am sure they are bypassing the form itself and accessing the form processing script directly somehow.

I hadn’t thought to look in the entries before your last reply, but now I see that there is NO entry for any of these submissions with the URLs. None. And in the form’s settings under Notifications I have this at the bottom of the message that gets emailed to us:

Sender’s IP: {ip}
Page: {embed_post:ID} / Form: {form_id}

BUT yet what I get does not include the page title nor form ID.

The form is ALSO set to use an email address on our own domain as the “From” address, not the submitter’s address and the spammy form submissions we get do not come from the “From” address I have setup, they come from what the sender entered into the email field.

SO because the form submission is NOT showing up under Entries and does NOT use the settings I have for the form, they must be accessing the script directly.

So how do I lock this down so they can’t do that?

Have you enabled access to the REST API on the Forms > Settings >REST API (under “Enable access to the API” there is a checkbox.)

If that is enabled, the submissions can be submitted directly to the API endpoint without accessing your form.

Nope, I just verified that it is unchecked. I’ve never enabled that setting for any of our sites that has GF installed. Is there another possibility?

Have you already enabled logging on the site (without the custom logging statements I mentioned earlier)? If you can capture a submission in the log, where the entry text contains html links, we may get more clues.

In order to help troubleshoot the issue you’re having, we need to see what’s going on behind the scenes with Gravity Forms, which means we need Gravity Forms logging enabled.

You can enable logging by going to Forms > Settings > Logging. Select: On, then [Save Settings]. By default this will enable all logging on your site. Documentation for Enabling Logging:

I just now enabled the Logging in the settings…I had not yet figured out how to implement custom logging, but the normal logging is now on. As soon as I get another one of those odd submissions I’ll check the log and report back.

Thank you for your help with this…so far it hasn’t gotten overwhelming for my teammates who get the submissions, but it’s a mystery I’d like to solve!

Sounds good. We can start with normal logging to see where the submissions are coming from and how they are getting in, at the very least. The custom logging would not help if they are not submitting via the form, so we are OK without that for now.

Did you try the “text replacement” plugin for GF
It can can automatically disable links <3
We heavily use it for text replacement, uppercase, accent removal, …

OK I got a couple more of the spam submissions come in this morning and have a log file to look at, should I copy & paste it here? Or attach it as a file? I don’t really understand what it’s telling me so I need some help interpreting it, please and thank you!

Hi deefuz - thank you for the suggestion, that sounds like an interesting and useful plugin. I’m not really concerned about the links being active or disabled, my team knows they are spam and wouldn’t click on them anyway (they just delete the message)… I’m really most concerned about how someone has been getting around using the actual form and shutting that access down, but the plugin might be useful for it’s other features, I appreciate the suggestion!

Hi Trisha. Please email the system report or the Gravity Forms Core log file as an attachment to

Thank you.

Thanks Chris - I just sent it. :slight_smile:

We were able to resolve this issue offline.