gravity_form(3, false, false, false, null, true); The function is faster, bypasses shortcode regex overhead, and supports $display_inactive param that shortcodes lack. | Shortcode | XSS Risk | CSRF Protection | Data Leakage | |-----------|----------|----------------|--------------| | [gravityform] | Medium (field labels) | ✅ Yes (nonce) | No | | [gravityformspopulate] | High (if no sanitization) | ❌ None | Yes (exposes field IDs) |
Gravity Forms shortcodes output inline JavaScript ( var gform; ) and hard-coded nonce values. This breaks page caching (e.g., Varnish, Cloudflare Full Page Cache, WP Rocket). Each page load regenerates the nonce, preventing static HTML caching.
Executive Summary Gravity Forms offers a suite of shortcodes that go far beyond simple [gravityform id="1"] . While often underutilized, these shortcodes are the backbone of embedding, dynamic population, conditional display, and data retrieval. However, they come with notable performance caveats and learning curves that power users must understand.
Use [gravityformsaction] + custom AJAX or implement the gform_disable_caching filter to suppress nonce output (with caution). 3. Common Pitfalls & Debugging Problem: Form duplicates on page when using AJAX pagination. Cause: The shortcode’s JavaScript re-initializes the form after AJAX loads new content (e.g., in a tab or modal). Fix: Call window.gformInitDatepicker(); and gform_initialize_tooltips(); manually after DOM insertion. Problem: Conditional logic fields flicker or show briefly. Cause: The shortcode loads the full form HTML, then JavaScript hides conditional fields. Fix: Use CSS to initially hide all conditional fields, or add data-js-init="hide" via gform_pre_render filter. Problem: Shortcode output inside a meta box (e.g., ACF WYSIWYG) fails. Cause: WordPress does not parse shortcodes inside post meta by default. Fix: Apply do_shortcode(get_field('my_form_field')) in your template – the shortcode alone won’t render. 4. Advanced: Programmatic Shortcode Usage You don't need to wait for WordPress content parsing. In any PHP template:
If you use [gravityformspopulate field_ids="5" filter="post_id=REQUEST.post_id"] without validating the incoming post_id parameter, an attacker could inject a meta query to extract private post titles via error-based disclosure.
// Render form #3 with AJAX, no title echo do_shortcode('[gravityform id="3" ajax="true" title="false"]'); But better yet – and use Gravity Forms’ native function:
Contact Form 7 (but far fewer features). Winner for dynamic content: Gravity Forms, but requires developer discipline. Final Verdict Gravity Forms shortcodes are a powerful but leaky abstraction . They excel at embedding forms anywhere (widgets, custom post content, theme files) and dynamic population. However, their tight coupling with inline scripts and nonces makes them a poor choice for statically cached pages.