PluginProbe ʕ •ᴥ•ʔ
Secure Custom Fields / 6.8.5
Secure Custom Fields v6.8.5
6.9.1 6.9.0 6.8.9 6.8.7 6.8.8 6.8.6 6.8.4 6.8.5 trunk 6.4.0-beta1 6.4.0-beta2 6.4.1 6.4.1-beta3 6.4.1-beta4 6.4.1-beta5 6.4.1-beta6 6.4.1-beta7 6.4.2 6.5.0 6.5.1 6.5.2 6.5.3 6.5.4 6.5.5 6.5.6 6.5.7 6.6.0 6.7.0 6.7.1 6.8.0 6.8.1 6.8.2 6.8.3
secure-custom-fields / includes / forms / form-front.php
secure-custom-fields / includes / forms Last commit date
WC_Order.php 6 months ago form-attachment.php 1 year ago form-comment.php 7 months ago form-customizer.php 10 months ago form-front.php 10 months ago form-gutenberg.php 1 year ago form-nav-menu.php 7 months ago form-post.php 1 month ago form-taxonomy.php 7 months ago form-user.php 7 months ago form-widget.php 10 months ago index.php 1 year ago
form-front.php
600 lines
1 <?php
2
3 if ( ! defined( 'ABSPATH' ) ) {
4 exit; // Exit if accessed directly
5 }
6
7 if ( ! class_exists( 'acf_form_front' ) ) :
8 class acf_form_front {
9
10 /**
11 * An array of registered form settings.
12 *
13 * @var array
14 */
15 private $forms = array();
16
17 /**
18 * An array of default fields.
19 *
20 * @var array
21 */
22 public $fields = array();
23
24 /**
25 * Constructs the class.
26 *
27 * @since ACF 5.0.0
28 */
29 public function __construct() {
30 add_action( 'acf/validate_save_post', array( $this, 'validate_save_post' ), 1 );
31 add_filter( 'acf/pre_save_post', array( $this, 'pre_save_post' ), 5, 2 );
32 }
33
34 /**
35 * Returns fields used by frontend forms.
36 *
37 * @since SCF 6.5
38 *
39 * @return array
40 */
41 public function get_default_fields(): array {
42 $this->fields = array(
43 '_post_title' => array(
44 'prefix' => 'acf',
45 'name' => '_post_title',
46 'key' => '_post_title',
47 'label' => __( 'Title', 'secure-custom-fields' ),
48 'type' => 'text',
49 'required' => true,
50 ),
51
52 '_post_content' => array(
53 'prefix' => 'acf',
54 'name' => '_post_content',
55 'key' => '_post_content',
56 'label' => __( 'Content', 'secure-custom-fields' ),
57 'type' => 'wysiwyg',
58 ),
59
60 '_validate_email' => array(
61 'prefix' => 'acf',
62 'name' => '_validate_email',
63 'key' => '_validate_email',
64 'label' => __( 'Validate Email', 'secure-custom-fields' ),
65 'type' => 'text',
66 'value' => '',
67 'wrapper' => array( 'style' => 'display:none !important;' ),
68 ),
69 );
70
71 return $this->fields;
72 }
73
74 /**
75 * Validates form arguments and applies defaults.
76 *
77 * @type function
78 * @date 28/2/17
79 * @since ACF 5.5.8
80 *
81 * @param $post_id (int)
82 * @return $post_id (int)
83 */
84 function validate_form( $args ) {
85
86 // defaults
87 // Todo: Allow message and button text to be generated by CPT settings.
88 $args = wp_parse_args(
89 $args,
90 array(
91 'id' => 'acf-form',
92 'post_id' => false,
93 'new_post' => false,
94 'field_groups' => false,
95 'fields' => false,
96 'post_title' => false,
97 'post_content' => false,
98 'form' => true,
99 'form_attributes' => array(),
100 'return' => add_query_arg( 'updated', 'true', acf_get_current_url() ),
101 'html_before_fields' => '',
102 'html_after_fields' => '',
103 'submit_value' => __( 'Update', 'secure-custom-fields' ),
104 'updated_message' => __( 'Post updated', 'secure-custom-fields' ),
105 'label_placement' => 'top',
106 'instruction_placement' => 'label',
107 'field_el' => 'div',
108 'uploader' => 'wp',
109 'honeypot' => true,
110 'html_updated_message' => '<div id="message" class="updated"><p>%s</p></div>', // 5.5.10
111 'html_submit_button' => '<input type="submit" class="acf-button button button-primary button-large" value="%s" />', // 5.5.10
112 'html_submit_spinner' => '<span class="acf-spinner"></span>', // 5.5.10
113 'kses' => true, // 5.6.5
114 )
115 );
116
117 $args['form_attributes'] = wp_parse_args(
118 $args['form_attributes'],
119 array(
120 'id' => $args['id'],
121 'class' => 'acf-form',
122 'action' => '',
123 'method' => 'post',
124 )
125 );
126
127 // filter post_id
128 $args['post_id'] = acf_get_valid_post_id( $args['post_id'] );
129
130 // new post?
131 if ( $args['post_id'] === 'new_post' ) {
132 $args['new_post'] = wp_parse_args(
133 $args['new_post'],
134 array(
135 'post_type' => 'post',
136 'post_status' => 'draft',
137 )
138 );
139 }
140
141 // filter
142 $args = apply_filters( 'acf/validate_form', $args );
143
144 // return
145 return $args;
146 }
147
148
149 /**
150 * description
151 *
152 * @type function
153 * @date 28/2/17
154 * @since ACF 5.5.8
155 *
156 * @param $post_id (int)
157 * @return $post_id (int)
158 */
159 function add_form( $args = array() ) {
160
161 // validate
162 $args = $this->validate_form( $args );
163
164 // append
165 $this->forms[ $args['id'] ] = $args;
166 }
167
168
169 /**
170 * description
171 *
172 * @type function
173 * @date 28/2/17
174 * @since ACF 5.5.8
175 *
176 * @param $post_id (int)
177 * @return $post_id (int)
178 */
179 function get_form( $id = '' ) {
180
181 // bail early if not set
182 if ( ! isset( $this->forms[ $id ] ) ) {
183 return false;
184 }
185
186 // return
187 return $this->forms[ $id ];
188 }
189
190 /**
191 * Returns all registered forms.
192 *
193 * @type function
194 * @date 28/2/17
195 * @since ACF 5.5.8
196 *
197 * @return forms (array)
198 */
199 function get_forms() {
200 return $this->forms;
201 }
202
203 /**
204 * This function will validate fields from the above array
205 *
206 * @type function
207 * @date 7/09/2016
208 * @since ACF 5.4.0
209 *
210 * @param $post_id (int)
211 * @return $post_id (int)
212 */
213 function validate_save_post() {
214
215 // register field if isset in $_POST
216 foreach ( $this->get_default_fields() as $k => $field ) {
217
218 // bail early if no in $_POST
219 if ( ! isset( $_POST['acf'][ $k ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
220 continue;
221 }
222
223 // register
224 acf_add_local_field( $field );
225 }
226
227 // honeypot
228 if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
229
230 acf_add_validation_error( '', __( 'Spam Detected', 'secure-custom-fields' ) );
231 }
232 }
233
234
235 /**
236 * description
237 *
238 * @type function
239 * @date 7/09/2016
240 * @since ACF 5.4.0
241 *
242 * @param $post_id (int)
243 * @return $post_id (int)
244 */
245 function pre_save_post( $post_id, $form ) {
246
247 // vars
248 $save = array(
249 'ID' => 0,
250 );
251
252 // determine save data
253 if ( is_numeric( $post_id ) ) {
254
255 // update post
256 $save['ID'] = $post_id;
257 } elseif ( $post_id == 'new_post' ) {
258
259 // merge in new post data
260 $save = array_merge( $save, $form['new_post'] );
261 } else {
262
263 // not post
264 return $post_id;
265 }
266
267 // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().
268 // save post_title
269 if ( isset( $_POST['acf']['_post_title'] ) ) {
270 $save['post_title'] = acf_extract_var( $_POST['acf'], '_post_title' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.
271 }
272
273 // save post_content
274 if ( isset( $_POST['acf']['_post_content'] ) ) {
275 $save['post_content'] = acf_extract_var( $_POST['acf'], '_post_content' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.
276 }
277 // phpcs:enable WordPress.Security.NonceVerification.Missing
278
279 // honeypot
280 if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
281 return false;
282 }
283
284 // validate
285 if ( count( $save ) == 1 ) {
286 return $post_id;
287 }
288
289 // save
290 if ( $save['ID'] ) {
291 wp_update_post( $save );
292 } else {
293 $post_id = wp_insert_post( $save );
294 }
295
296 // return
297 return $post_id;
298 }
299
300
301 /**
302 * This function will enqueue a form
303 *
304 * @type function
305 * @date 7/09/2016
306 * @since ACF 5.4.0
307 *
308 * @param $post_id (int)
309 * @return $post_id (int)
310 */
311 function enqueue_form() {
312
313 // check
314 $this->check_submit_form();
315
316 // load acf scripts
317 acf_enqueue_scripts();
318 }
319
320
321 /**
322 * This function will maybe submit form data
323 *
324 * @type function
325 * @date 3/3/17
326 * @since ACF 5.5.10
327 *
328 * @param n/a
329 * @return n/a
330 */
331 function check_submit_form() {
332
333 // Verify nonce.
334 if ( ! acf_verify_nonce( 'acf_form' ) ) {
335 return false;
336 }
337
338 // Confirm form was submit.
339 if ( ! isset( $_POST['_acf_form'] ) ) {
340 return false;
341 }
342
343 // Load registered form using id.
344 $form = $this->get_form( acf_sanitize_request_args( $_POST['_acf_form'] ) );
345
346 // Fallback to encrypted JSON.
347 if ( ! $form ) {
348 $form = json_decode( acf_decrypt( sanitize_text_field( $_POST['_acf_form'] ) ), true );
349 if ( ! $form ) {
350 return false;
351 }
352 }
353
354 // Run kses on all $_POST data.
355 if ( $form['kses'] && isset( $_POST['acf'] ) ) {
356 $_POST['acf'] = wp_kses_post_deep( $_POST['acf'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- False positive.
357 }
358
359 // Validate data and show errors.
360 // Todo: Return WP_Error and show above form, keeping input values.
361 acf_validate_save_post( true );
362
363 // Submit form.
364 $this->submit_form( $form );
365 }
366
367
368 /**
369 * This function will submit form data
370 *
371 * @type function
372 * @date 3/3/17
373 * @since ACF 5.5.10
374 *
375 * @param n/a
376 * @return n/a
377 */
378 function submit_form( $form ) {
379
380 // filter
381 $form = apply_filters( 'acf/pre_submit_form', $form );
382
383 // vars
384 $post_id = acf_maybe_get( $form, 'post_id', 0 );
385
386 // add global for backwards compatibility
387 $GLOBALS['acf_form'] = $form;
388
389 // allow for custom save
390 $post_id = apply_filters( 'acf/pre_save_post', $post_id, $form );
391
392 // save
393 acf_save_post( $post_id );
394
395 // restore form (potentially modified)
396 $form = $GLOBALS['acf_form'];
397
398 // action
399 do_action( 'acf/submit_form', $form, $post_id );
400
401 // vars
402 $return = acf_maybe_get( $form, 'return', '' );
403
404 // redirect
405 if ( $return ) {
406
407 // update %placeholders%
408 $return = str_replace( '%post_id%', $post_id, $return );
409 $return = str_replace( '%post_url%', get_permalink( $post_id ), $return );
410
411 // redirect
412 wp_redirect( $return ); //phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect -- unsafe redirects allowed.
413 exit;
414 }
415 }
416
417
418 /**
419 * description
420 *
421 * @type function
422 * @date 7/09/2016
423 * @since ACF 5.4.0
424 *
425 * @param $post_id (int)
426 * @return $post_id (int)
427 */
428 function render_form( $args = array() ) {
429
430 // Vars.
431 $is_registered = false;
432 $field_groups = array();
433 $fields = array();
434
435 // Allow form settings to be directly provided.
436 if ( is_array( $args ) ) {
437 $args = $this->validate_form( $args );
438
439 // Otherwise, lookup registered form.
440 } else {
441 $is_registered = true;
442 $args = $this->get_form( $args );
443 if ( ! $args ) {
444 return false;
445 }
446 }
447
448 // Extract vars.
449 $post_id = $args['post_id'];
450
451 // Prevent ACF from loading values for "new_post".
452 if ( $post_id === 'new_post' ) {
453 $post_id = false;
454 }
455
456 // Set uploader type.
457 acf_update_setting( 'uploader', $args['uploader'] );
458
459 // Register local fields.
460 foreach ( $this->get_default_fields() as $k => $field ) {
461 acf_add_local_field( $field );
462 }
463
464 // Append post_title field.
465 if ( $args['post_title'] ) {
466 $_post_title = acf_get_field( '_post_title' );
467 $_post_title['value'] = $post_id ? get_post_field( 'post_title', $post_id ) : '';
468 $fields[] = $_post_title;
469 }
470
471 // Append post_content field.
472 if ( $args['post_content'] ) {
473 $_post_content = acf_get_field( '_post_content' );
474 $_post_content['value'] = $post_id ? get_post_field( 'post_content', $post_id ) : '';
475 $fields[] = $_post_content;
476 }
477
478 // Load specific fields.
479 if ( $args['fields'] ) {
480
481 // Lookup fields using $strict = false for better compatibility with field names.
482 foreach ( $args['fields'] as $selector ) {
483 $fields[] = acf_maybe_get_field( $selector, $post_id, false );
484 }
485
486 // Load specific field groups.
487 } elseif ( $args['field_groups'] ) {
488 foreach ( $args['field_groups'] as $selector ) {
489 $field_groups[] = acf_get_field_group( $selector );
490 }
491
492 // Load fields for the given "new_post" args.
493 } elseif ( $args['post_id'] == 'new_post' ) {
494 $field_groups = acf_get_field_groups( $args['new_post'] );
495
496 // Load fields for the given "post_id" arg.
497 } else {
498 $field_groups = acf_get_field_groups(
499 array(
500 'post_id' => $args['post_id'],
501 )
502 );
503 }
504
505 // load fields from the found field groups.
506 if ( $field_groups ) {
507 foreach ( $field_groups as $field_group ) {
508 $_fields = acf_get_fields( $field_group );
509 if ( $_fields ) {
510 foreach ( $_fields as $_field ) {
511 $fields[] = $_field;
512 }
513 }
514 }
515 }
516
517 // Add honeypot field.
518 if ( $args['honeypot'] ) {
519 $fields[] = acf_get_field( '_validate_email' );
520 }
521
522 // Display updated_message
523 if ( ! empty( $_GET['updated'] ) && $args['updated_message'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Used as a flag; data not used.
524 printf( $args['html_updated_message'], $args['updated_message'] ); //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers.
525 }
526
527 // display form
528 if ( $args['form'] ) : ?>
529 <form <?php echo acf_esc_attrs( $args['form_attributes'] ); ?>>
530 <?php
531 endif;
532
533 // Render hidde form data.
534 acf_form_data(
535 array(
536 'screen' => 'acf_form',
537 'post_id' => $args['post_id'],
538 'form' => $is_registered ? $args['id'] : acf_encrypt( json_encode( $args ) ),
539 )
540 );
541
542 ?>
543 <div class="acf-fields acf-form-fields -<?php echo esc_attr( $args['label_placement'] ); ?>">
544 <?php echo $args['html_before_fields']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
545 <?php acf_render_fields( $fields, $post_id, $args['field_el'], $args['instruction_placement'] ); ?>
546 <?php echo $args['html_after_fields']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
547 </div>
548 <?php if ( $args['form'] ) : ?>
549 <div class="acf-form-submit">
550 <?php printf( $args['html_submit_button'], $args['submit_value'] ); ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
551 <?php echo $args['html_submit_spinner']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
552 </div>
553 </form>
554 <?php endif;
555 }
556 }
557
558 // initialize
559 acf()->form_front = new acf_form_front();
560 endif; // class_exists check
561
562
563 /**
564 * Functions
565 *
566 * alias of acf()->form->functions
567 *
568 * @type function
569 * @date 11/06/2014
570 * @since ACF 5.0.0
571 *
572 * @param n/a
573 * @return n/a
574 */
575 function acf_form_head() {
576
577 acf()->form_front->enqueue_form();
578 }
579
580 function acf_form( $args = array() ) {
581
582 acf()->form_front->render_form( $args );
583 }
584
585 function acf_get_form( $id = '' ) {
586
587 return acf()->form_front->get_form( $id );
588 }
589
590 function acf_get_forms() {
591 return acf()->form_front->get_forms();
592 }
593
594 function acf_register_form( $args ) {
595
596 acf()->form_front->add_form( $args );
597 }
598
599 ?>
600