Skip to content

gw-custom-modifier-file-upload.php: Added snippet for custom filename modifier for file upload fields. #1144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

gw-custom-modifier-file-upload.php: Added snippet for custom filename modifier for file upload fields. #1144

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1de825a
`gw-custom-modifier-file-upload.php`: Added snippet for custom `filen…
saifsultanc Aug 11, 2025
63c34fc
`gw-custom-modifier-file-upload.php`: Added snippet for custom `filen…
saifsultanc Aug 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions gravity-forms/gw-custom-modifier-file-upload.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<?php
/**
* Gravity Wizards // Gravity Forms // Custom Modifier for File Upload
*
* This snippet is an example of how to add custom modifiers to a Gravity Forms file upload field.
*
* Instructions:
*
* 1. Add to snippet to site. See https://gravitywiz.com/documentation/how-do-i-install-a-snippet/.
*/
add_filter( 'gform_merge_tag_filter', function ( $value, $merge_tag, $modifier, $field, $raw_value, $format ) {
if ( $merge_tag != 'all_fields' && $field->type == 'fileupload' && ! empty( $raw_value ) && $modifier == 'filename' ) {
if ( ! $field->multipleFiles ) {
$value = basename( $raw_value );
} else {
$file_list = [];
foreach ( json_decode( $raw_value ) as $filepath ) {
$file_list[] = basename( $filepath );
}
$value = implode( '<br />', $file_list );
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

⚠️ Potential issue

Escape output, strip query strings, honor $format, and harden JSON handling

Avoid potential XSS by escaping HTML output, remove query strings from URLs, respect text vs HTML output via $format, and guard against invalid JSON for multi-file values.

-			$value = basename( $raw_value );
+			// Strip query string/fragment and escape for HTML when appropriate.
+			$path     = is_string( $raw_value ) ? parse_url( $raw_value, PHP_URL_PATH ) : '';
+			$filename = wp_basename( $path ? $path : (string) $raw_value );
+			$value    = ( $format === 'text' ) ? $filename : esc_html( $filename );
@@
-			$file_list = [];
-			foreach ( json_decode( $raw_value ) as $filepath ) {
-				$file_list[] = basename( $filepath );
-			}
-			$value = implode( '<br />', $file_list );
+			$file_list = [];
+			$decoded   = json_decode( $raw_value, true );
+			if ( is_array( $decoded ) ) {
+				foreach ( $decoded as $filepath ) {
+					$path        = parse_url( $filepath, PHP_URL_PATH );
+					$file_list[] = ( $format === 'text' ) ? wp_basename( $path ) : esc_html( wp_basename( $path ) );
+				}
+			} else {
+				// Fallback if the value isn't valid JSON.
+				$path        = is_string( $raw_value ) ? parse_url( $raw_value, PHP_URL_PATH ) : '';
+				$file_list[] = ( $format === 'text' ) ? wp_basename( $path ? $path : (string) $raw_value ) : esc_html( wp_basename( $path ? $path : (string) $raw_value ) );
+			}
+			$separator = ( $format === 'text' ) ? "\n" : '<br />';
+			$value     = implode( $separator, $file_list );
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
$value = basename( $raw_value );
} else {
$file_list = [];
foreach ( json_decode( $raw_value ) as $filepath ) {
$file_list[] = basename( $filepath );
}
$value = implode( '<br />', $file_list );
}
// Strip query string/fragment and escape for HTML when appropriate.
$path = is_string( $raw_value ) ? parse_url( $raw_value, PHP_URL_PATH ) : '';
$filename = wp_basename( $path ? $path : (string) $raw_value );
$value = ( $format === 'text' ) ? $filename : esc_html( $filename );
} else {
$file_list = [];
$decoded = json_decode( $raw_value, true );
if ( is_array( $decoded ) ) {
foreach ( $decoded as $filepath ) {
$path = parse_url( $filepath, PHP_URL_PATH );
$file_list[] = ( $format === 'text' ) ? wp_basename( $path ) : esc_html( wp_basename( $path ) );
}
} else {
// Fallback if the value isn't valid JSON.
$path = is_string( $raw_value ) ? parse_url( $raw_value, PHP_URL_PATH ) : '';
$file_list[] = ( $format === 'text' )
? wp_basename( $path ? $path : (string) $raw_value )
: esc_html( wp_basename( $path ? $path : (string) $raw_value ) );
}
$separator = ( $format === 'text' ) ? "\n" : '<br />';
$value = implode( $separator, $file_list );
}
🤖 Prompt for AI Agents 
In gravity-forms/gw-custom-modifier-file-upload.php around lines 14 to 21, the
code currently outputs raw basenames from $raw_value and multi-file JSON without
escaping, removing query strings, honoring the $format parameter, or validating
JSON; update it to: detect whether $raw_value is JSON and safely json_decode
with error checking, ensure the decoded value is an array before iterating,
strip any query string or params from each filepath (e.g. remove anything after
the first '?' or '#') before calling basename, escape the final output for HTML
when $format !== 'text' (and for text output return plain, newline-separated
values when $format === 'text'), and handle fallback to a single safe basename
when JSON is invalid — this will prevent XSS, respect $format, and harden JSON
handling.

}
return $value;
}, 10, 6 );

// For GP Media Library
add_filter( 'gpml_image_merge_tag_skip_modifiers', function( $skip_modifiers, $modifiers, $input_id, $image_ids ) {
return [ 'filename' ];
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Preserve other modifiers skipped by GPML

Don’t clobber existing $skip_modifiers; merge with them to remain compatible with other customizations.

-return [ 'filename' ];
+$skip_modifiers = is_array( $skip_modifiers ) ? $skip_modifiers : array();
+$skip_modifiers[] = 'filename';
+return array_values( array_unique( $skip_modifiers ) );
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
return [ 'filename' ];
// Preserve any previously skipped modifiers, then add 'filename'
$skip_modifiers = is_array( $skip_modifiers ) ? $skip_modifiers : array();
$skip_modifiers[] = 'filename';
return array_values( array_unique( $skip_modifiers ) );
🤖 Prompt for AI Agents 
In gravity-forms/gw-custom-modifier-file-upload.php around line 28, the function
currently returns [ 'filename' ] which clobbers any existing $skip_modifiers;
instead merge your modifier into the incoming $skip_modifiers and return the
combined set. Modify the code to add 'filename' to $skip_modifiers (e.g.
$skip_modifiers[] = 'filename' or $skip_modifiers = array_merge($skip_modifiers,
['filename'])), then ensure uniqueness/reset keys (e.g. return
array_values(array_unique($skip_modifiers))) so other GPML/custom modifiers are
preserved.

}, 10, 4 );
Loading