I have some security concerns about fron-end forms.
First forms are displaying to all visitors in front-end. without logging in. And they can add or edit pages posts etc with these forms without login in . I know that i can restrict these forms with some extra plugins but i think it will be good to use some native wp restrictions with forms. May be with some options, or short code parameters.. Do you have any suggestion about this ?
Also i did not try but users can actually input harmful things (codes, scripts etc.) Are these forms have some sanitize feature or something like that ? Do you have any advice about this ?
Regarding the 1st question: I think adding restriction to the form is ok, we can do that. However, even if the form is restricted, you still need to prevent non-wanted users to access that page? What do you think about this?
Regarding the 2nd problem: all post data is processed via wp_update_post and wp_insert_post. We don't run any sanitize feature for that. However, you can use these filters to perform an extra check.
This is an interesting question and I'd love to hear your feedback.
Actually you a right about 1st question. I can want guest users or everyone access to forms without log in also.
May be forms can be restricted by default. And there can some options or custom paramaters for remove restriction or enable forms for everyone.
Or can be added a Conditional Logic to metaboxes and fields something like if user logged in - logged out - if user role is something which also works in front-end forms...