Gravity Forms shortcodes output inline JavaScript ( var gform; ) and hard-coded nonce values. This breaks page caching (e.g., Varnish, Cloudflare Full Page Cache, WP Rocket). Each page load regenerates the nonce, preventing static HTML caching.
Contact Form 7 (but far fewer features). Winner for dynamic content: Gravity Forms, but requires developer discipline. Final Verdict Gravity Forms shortcodes are a powerful but leaky abstraction . They excel at embedding forms anywhere (widgets, custom post content, theme files) and dynamic population. However, their tight coupling with inline scripts and nonces makes them a poor choice for statically cached pages. gravity forms shortcodes
gravity_form(3, false, false, false, null, true); The function is faster, bypasses shortcode regex overhead, and supports $display_inactive param that shortcodes lack. | Shortcode | XSS Risk | CSRF Protection | Data Leakage | |-----------|----------|----------------|--------------| | [gravityform] | Medium (field labels) | ✅ Yes (nonce) | No | | [gravityformspopulate] | High (if no sanitization) | ❌ None | Yes (exposes field IDs) | Gravity Forms shortcodes output inline JavaScript ( var
If you use [gravityformspopulate field_ids="5" filter="post_id=REQUEST.post_id"] without validating the incoming post_id parameter, an attacker could inject a meta query to extract private post titles via error-based disclosure. Contact Form 7 (but far fewer features)
// Render form #3 with AJAX, no title echo do_shortcode('[gravityform id="3" ajax="true" title="false"]'); But better yet – and use Gravity Forms’ native function:
Executive Summary Gravity Forms offers a suite of shortcodes that go far beyond simple [gravityform id="1"] . While often underutilized, these shortcodes are the backbone of embedding, dynamic population, conditional display, and data retrieval. However, they come with notable performance caveats and learning curves that power users must understand.