PluginProbe ʕ •ᴥ•ʔ
Secure Custom Fields / 6.4.2
Secure Custom Fields v6.4.2
6.9.1 6.9.0 6.8.9 6.8.7 6.8.8 6.8.6 6.8.4 6.8.5 trunk 6.4.0-beta1 6.4.0-beta2 6.4.1 6.4.1-beta3 6.4.1-beta4 6.4.1-beta5 6.4.1-beta6 6.4.1-beta7 6.4.2 6.5.0 6.5.1 6.5.2 6.5.3 6.5.4 6.5.5 6.5.6 6.5.7 6.6.0 6.7.0 6.7.1 6.8.0 6.8.1 6.8.2 6.8.3
secure-custom-fields / includes / forms / form-front.php
secure-custom-fields / includes / forms Last commit date
form-attachment.php 1 year ago form-comment.php 1 year ago form-customizer.php 1 year ago form-front.php 1 year ago form-gutenberg.php 1 year ago form-nav-menu.php 1 year ago form-post.php 1 year ago form-taxonomy.php 1 year ago form-user.php 1 year ago form-widget.php 1 year ago index.php 1 year ago
form-front.php
587 lines
1 <?php
2
3 if ( ! defined( 'ABSPATH' ) ) {
4 exit; // Exit if accessed directly
5 }
6
7 if ( ! class_exists( 'acf_form_front' ) ) :
8 #[AllowDynamicProperties]
9 class acf_form_front {
10
11 /** @var array An array of registered form settings */
12 private $forms = array();
13
14 /** @var array An array of default fields */
15 public $fields = array();
16
17
18 /**
19 * This function will setup the class functionality
20 *
21 * @type function
22 * @date 5/03/2014
23 * @since ACF 5.0.0
24 *
25 * @param n/a
26 * @return n/a
27 */
28 function __construct() {
29
30 // vars
31 $this->fields = array(
32
33 '_post_title' => array(
34 'prefix' => 'acf',
35 'name' => '_post_title',
36 'key' => '_post_title',
37 'label' => __( 'Title', 'secure-custom-fields' ),
38 'type' => 'text',
39 'required' => true,
40 ),
41
42 '_post_content' => array(
43 'prefix' => 'acf',
44 'name' => '_post_content',
45 'key' => '_post_content',
46 'label' => __( 'Content', 'secure-custom-fields' ),
47 'type' => 'wysiwyg',
48 ),
49
50 '_validate_email' => array(
51 'prefix' => 'acf',
52 'name' => '_validate_email',
53 'key' => '_validate_email',
54 'label' => __( 'Validate Email', 'secure-custom-fields' ),
55 'type' => 'text',
56 'value' => '',
57 'wrapper' => array( 'style' => 'display:none !important;' ),
58 ),
59
60 );
61
62 // actions
63 add_action( 'acf/validate_save_post', array( $this, 'validate_save_post' ), 1 );
64
65 // filters
66 add_filter( 'acf/pre_save_post', array( $this, 'pre_save_post' ), 5, 2 );
67 }
68
69
70 /**
71 * description
72 *
73 * @type function
74 * @date 28/2/17
75 * @since ACF 5.5.8
76 *
77 * @param $post_id (int)
78 * @return $post_id (int)
79 */
80 function validate_form( $args ) {
81
82 // defaults
83 // Todo: Allow message and button text to be generated by CPT settings.
84 $args = wp_parse_args(
85 $args,
86 array(
87 'id' => 'acf-form',
88 'post_id' => false,
89 'new_post' => false,
90 'field_groups' => false,
91 'fields' => false,
92 'post_title' => false,
93 'post_content' => false,
94 'form' => true,
95 'form_attributes' => array(),
96 'return' => add_query_arg( 'updated', 'true', acf_get_current_url() ),
97 'html_before_fields' => '',
98 'html_after_fields' => '',
99 'submit_value' => __( 'Update', 'secure-custom-fields' ),
100 'updated_message' => __( 'Post updated', 'secure-custom-fields' ),
101 'label_placement' => 'top',
102 'instruction_placement' => 'label',
103 'field_el' => 'div',
104 'uploader' => 'wp',
105 'honeypot' => true,
106 'html_updated_message' => '<div id="message" class="updated"><p>%s</p></div>', // 5.5.10
107 'html_submit_button' => '<input type="submit" class="acf-button button button-primary button-large" value="%s" />', // 5.5.10
108 'html_submit_spinner' => '<span class="acf-spinner"></span>', // 5.5.10
109 'kses' => true, // 5.6.5
110 )
111 );
112
113 $args['form_attributes'] = wp_parse_args(
114 $args['form_attributes'],
115 array(
116 'id' => $args['id'],
117 'class' => 'acf-form',
118 'action' => '',
119 'method' => 'post',
120 )
121 );
122
123 // filter post_id
124 $args['post_id'] = acf_get_valid_post_id( $args['post_id'] );
125
126 // new post?
127 if ( $args['post_id'] === 'new_post' ) {
128 $args['new_post'] = wp_parse_args(
129 $args['new_post'],
130 array(
131 'post_type' => 'post',
132 'post_status' => 'draft',
133 )
134 );
135 }
136
137 // filter
138 $args = apply_filters( 'acf/validate_form', $args );
139
140 // return
141 return $args;
142 }
143
144
145 /**
146 * description
147 *
148 * @type function
149 * @date 28/2/17
150 * @since ACF 5.5.8
151 *
152 * @param $post_id (int)
153 * @return $post_id (int)
154 */
155 function add_form( $args = array() ) {
156
157 // validate
158 $args = $this->validate_form( $args );
159
160 // append
161 $this->forms[ $args['id'] ] = $args;
162 }
163
164
165 /**
166 * description
167 *
168 * @type function
169 * @date 28/2/17
170 * @since ACF 5.5.8
171 *
172 * @param $post_id (int)
173 * @return $post_id (int)
174 */
175 function get_form( $id = '' ) {
176
177 // bail early if not set
178 if ( ! isset( $this->forms[ $id ] ) ) {
179 return false;
180 }
181
182 // return
183 return $this->forms[ $id ];
184 }
185
186 function get_forms() {
187 return $this->forms;
188 }
189
190 /**
191 * This function will validate fields from the above array
192 *
193 * @type function
194 * @date 7/09/2016
195 * @since ACF 5.4.0
196 *
197 * @param $post_id (int)
198 * @return $post_id (int)
199 */
200 function validate_save_post() {
201
202 // register field if isset in $_POST
203 foreach ( $this->fields as $k => $field ) {
204
205 // bail early if no in $_POST
206 if ( ! isset( $_POST['acf'][ $k ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
207 continue;
208 }
209
210 // register
211 acf_add_local_field( $field );
212 }
213
214 // honeypot
215 if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
216
217 acf_add_validation_error( '', __( 'Spam Detected', 'secure-custom-fields' ) );
218 }
219 }
220
221
222 /**
223 * description
224 *
225 * @type function
226 * @date 7/09/2016
227 * @since ACF 5.4.0
228 *
229 * @param $post_id (int)
230 * @return $post_id (int)
231 */
232 function pre_save_post( $post_id, $form ) {
233
234 // vars
235 $save = array(
236 'ID' => 0,
237 );
238
239 // determine save data
240 if ( is_numeric( $post_id ) ) {
241
242 // update post
243 $save['ID'] = $post_id;
244 } elseif ( $post_id == 'new_post' ) {
245
246 // merge in new post data
247 $save = array_merge( $save, $form['new_post'] );
248 } else {
249
250 // not post
251 return $post_id;
252 }
253
254 // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().
255 // save post_title
256 if ( isset( $_POST['acf']['_post_title'] ) ) {
257 $save['post_title'] = acf_extract_var( $_POST['acf'], '_post_title' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.
258 }
259
260 // save post_content
261 if ( isset( $_POST['acf']['_post_content'] ) ) {
262 $save['post_content'] = acf_extract_var( $_POST['acf'], '_post_content' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.
263 }
264 // phpcs:enable WordPress.Security.NonceVerification.Missing
265
266 // honeypot
267 if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
268 return false;
269 }
270
271 // validate
272 if ( count( $save ) == 1 ) {
273 return $post_id;
274 }
275
276 // save
277 if ( $save['ID'] ) {
278 wp_update_post( $save );
279 } else {
280 $post_id = wp_insert_post( $save );
281 }
282
283 // return
284 return $post_id;
285 }
286
287
288 /**
289 * This function will enqueue a form
290 *
291 * @type function
292 * @date 7/09/2016
293 * @since ACF 5.4.0
294 *
295 * @param $post_id (int)
296 * @return $post_id (int)
297 */
298 function enqueue_form() {
299
300 // check
301 $this->check_submit_form();
302
303 // load acf scripts
304 acf_enqueue_scripts();
305 }
306
307
308 /**
309 * This function will maybe submit form data
310 *
311 * @type function
312 * @date 3/3/17
313 * @since ACF 5.5.10
314 *
315 * @param n/a
316 * @return n/a
317 */
318 function check_submit_form() {
319
320 // Verify nonce.
321 if ( ! acf_verify_nonce( 'acf_form' ) ) {
322 return false;
323 }
324
325 // Confirm form was submit.
326 if ( ! isset( $_POST['_acf_form'] ) ) {
327 return false;
328 }
329
330 // Load registered form using id.
331 $form = $this->get_form( acf_sanitize_request_args( $_POST['_acf_form'] ) );
332
333 // Fallback to encrypted JSON.
334 if ( ! $form ) {
335 $form = json_decode( acf_decrypt( sanitize_text_field( $_POST['_acf_form'] ) ), true );
336 if ( ! $form ) {
337 return false;
338 }
339 }
340
341 // Run kses on all $_POST data.
342 if ( $form['kses'] && isset( $_POST['acf'] ) ) {
343 $_POST['acf'] = wp_kses_post_deep( $_POST['acf'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- False positive.
344 }
345
346 // Validate data and show errors.
347 // Todo: Return WP_Error and show above form, keeping input values.
348 acf_validate_save_post( true );
349
350 // Submit form.
351 $this->submit_form( $form );
352 }
353
354
355 /**
356 * This function will submit form data
357 *
358 * @type function
359 * @date 3/3/17
360 * @since ACF 5.5.10
361 *
362 * @param n/a
363 * @return n/a
364 */
365 function submit_form( $form ) {
366
367 // filter
368 $form = apply_filters( 'acf/pre_submit_form', $form );
369
370 // vars
371 $post_id = acf_maybe_get( $form, 'post_id', 0 );
372
373 // add global for backwards compatibility
374 $GLOBALS['acf_form'] = $form;
375
376 // allow for custom save
377 $post_id = apply_filters( 'acf/pre_save_post', $post_id, $form );
378
379 // save
380 acf_save_post( $post_id );
381
382 // restore form (potentially modified)
383 $form = $GLOBALS['acf_form'];
384
385 // action
386 do_action( 'acf/submit_form', $form, $post_id );
387
388 // vars
389 $return = acf_maybe_get( $form, 'return', '' );
390
391 // redirect
392 if ( $return ) {
393
394 // update %placeholders%
395 $return = str_replace( '%post_id%', $post_id, $return );
396 $return = str_replace( '%post_url%', get_permalink( $post_id ), $return );
397
398 // redirect
399 wp_redirect( $return ); //phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect -- unsafe redirects allowed.
400 exit;
401 }
402 }
403
404
405 /**
406 * description
407 *
408 * @type function
409 * @date 7/09/2016
410 * @since ACF 5.4.0
411 *
412 * @param $post_id (int)
413 * @return $post_id (int)
414 */
415 function render_form( $args = array() ) {
416
417 // Vars.
418 $is_registered = false;
419 $field_groups = array();
420 $fields = array();
421
422 // Allow form settings to be directly provided.
423 if ( is_array( $args ) ) {
424 $args = $this->validate_form( $args );
425
426 // Otherwise, lookup registered form.
427 } else {
428 $is_registered = true;
429 $args = $this->get_form( $args );
430 if ( ! $args ) {
431 return false;
432 }
433 }
434
435 // Extract vars.
436 $post_id = $args['post_id'];
437
438 // Prevent ACF from loading values for "new_post".
439 if ( $post_id === 'new_post' ) {
440 $post_id = false;
441 }
442
443 // Set uploader type.
444 acf_update_setting( 'uploader', $args['uploader'] );
445
446 // Register local fields.
447 foreach ( $this->fields as $k => $field ) {
448 acf_add_local_field( $field );
449 }
450
451 // Append post_title field.
452 if ( $args['post_title'] ) {
453 $_post_title = acf_get_field( '_post_title' );
454 $_post_title['value'] = $post_id ? get_post_field( 'post_title', $post_id ) : '';
455 $fields[] = $_post_title;
456 }
457
458 // Append post_content field.
459 if ( $args['post_content'] ) {
460 $_post_content = acf_get_field( '_post_content' );
461 $_post_content['value'] = $post_id ? get_post_field( 'post_content', $post_id ) : '';
462 $fields[] = $_post_content;
463 }
464
465 // Load specific fields.
466 if ( $args['fields'] ) {
467
468 // Lookup fields using $strict = false for better compatibility with field names.
469 foreach ( $args['fields'] as $selector ) {
470 $fields[] = acf_maybe_get_field( $selector, $post_id, false );
471 }
472
473 // Load specific field groups.
474 } elseif ( $args['field_groups'] ) {
475 foreach ( $args['field_groups'] as $selector ) {
476 $field_groups[] = acf_get_field_group( $selector );
477 }
478
479 // Load fields for the given "new_post" args.
480 } elseif ( $args['post_id'] == 'new_post' ) {
481 $field_groups = acf_get_field_groups( $args['new_post'] );
482
483 // Load fields for the given "post_id" arg.
484 } else {
485 $field_groups = acf_get_field_groups(
486 array(
487 'post_id' => $args['post_id'],
488 )
489 );
490 }
491
492 // load fields from the found field groups.
493 if ( $field_groups ) {
494 foreach ( $field_groups as $field_group ) {
495 $_fields = acf_get_fields( $field_group );
496 if ( $_fields ) {
497 foreach ( $_fields as $_field ) {
498 $fields[] = $_field;
499 }
500 }
501 }
502 }
503
504 // Add honeypot field.
505 if ( $args['honeypot'] ) {
506 $fields[] = acf_get_field( '_validate_email' );
507 }
508
509 // Display updated_message
510 if ( ! empty( $_GET['updated'] ) && $args['updated_message'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Used as a flag; data not used.
511 printf( $args['html_updated_message'], $args['updated_message'] ); //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers.
512 }
513
514 // display form
515 if ( $args['form'] ) : ?>
516 <form <?php echo acf_esc_attrs( $args['form_attributes'] ); ?>>
517 <?php
518 endif;
519
520 // Render hidde form data.
521 acf_form_data(
522 array(
523 'screen' => 'acf_form',
524 'post_id' => $args['post_id'],
525 'form' => $is_registered ? $args['id'] : acf_encrypt( json_encode( $args ) ),
526 )
527 );
528
529 ?>
530 <div class="acf-fields acf-form-fields -<?php echo esc_attr( $args['label_placement'] ); ?>">
531 <?php echo $args['html_before_fields']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
532 <?php acf_render_fields( $fields, $post_id, $args['field_el'], $args['instruction_placement'] ); ?>
533 <?php echo $args['html_after_fields']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
534 </div>
535 <?php if ( $args['form'] ) : ?>
536 <div class="acf-form-submit">
537 <?php printf( $args['html_submit_button'], $args['submit_value'] ); ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
538 <?php echo $args['html_submit_spinner']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
539 </div>
540 </form>
541 <?php endif;
542 }
543 }
544
545 // initialize
546 acf()->form_front = new acf_form_front();
547 endif; // class_exists check
548
549
550 /**
551 * Functions
552 *
553 * alias of acf()->form->functions
554 *
555 * @type function
556 * @date 11/06/2014
557 * @since ACF 5.0.0
558 *
559 * @param n/a
560 * @return n/a
561 */
562 function acf_form_head() {
563
564 acf()->form_front->enqueue_form();
565 }
566
567 function acf_form( $args = array() ) {
568
569 acf()->form_front->render_form( $args );
570 }
571
572 function acf_get_form( $id = '' ) {
573
574 return acf()->form_front->get_form( $id );
575 }
576
577 function acf_get_forms() {
578 return acf()->form_front->get_forms();
579 }
580
581 function acf_register_form( $args ) {
582
583 acf()->form_front->add_form( $args );
584 }
585
586 ?>
587