PluginProbe ʕ •ᴥ•ʔ
Secure Custom Fields / 6.8.7
Secure Custom Fields v6.8.7
6.9.1 6.9.0 6.8.9 6.8.7 6.8.8 6.8.6 6.8.4 6.8.5 trunk 6.4.0-beta1 6.4.0-beta2 6.4.1 6.4.1-beta3 6.4.1-beta4 6.4.1-beta5 6.4.1-beta6 6.4.1-beta7 6.4.2 6.5.0 6.5.1 6.5.2 6.5.3 6.5.4 6.5.5 6.5.6 6.5.7 6.6.0 6.7.0 6.7.1 6.8.0 6.8.1 6.8.2 6.8.3
secure-custom-fields / includes / forms / form-front.php
secure-custom-fields / includes / forms Last commit date
WC_Order.php 6 months ago form-attachment.php 1 year ago form-comment.php 7 months ago form-customizer.php 10 months ago form-front.php 1 month ago form-gutenberg.php 1 year ago form-nav-menu.php 7 months ago form-post.php 1 month ago form-taxonomy.php 7 months ago form-user.php 7 months ago form-widget.php 10 months ago index.php 1 year ago
form-front.php
705 lines
1 <?php
2
3 if ( ! defined( 'ABSPATH' ) ) {
4 exit; // Exit if accessed directly
5 }
6
7 if ( ! class_exists( 'acf_form_front' ) ) :
8 class acf_form_front {
9
10 /**
11 * An array of registered form settings.
12 *
13 * @var array
14 */
15 private $forms = array();
16
17 /**
18 * An array of default fields.
19 *
20 * @var array
21 */
22 public $fields = array();
23
24 /**
25 * Constructs the class.
26 *
27 * @since ACF 5.0.0
28 */
29 public function __construct() {
30 add_action( 'acf/validate_save_post', array( $this, 'validate_save_post' ), 1 );
31 add_filter( 'acf/pre_save_post', array( $this, 'pre_save_post' ), 5, 2 );
32 }
33
34 /**
35 * Returns fields used by frontend forms.
36 *
37 * @since SCF 6.5
38 *
39 * @return array
40 */
41 public function get_default_fields(): array {
42 $this->fields = array(
43 '_post_title' => array(
44 'prefix' => 'acf',
45 'name' => '_post_title',
46 'key' => '_post_title',
47 'label' => __( 'Title', 'secure-custom-fields' ),
48 'type' => 'text',
49 'required' => true,
50 ),
51
52 '_post_content' => array(
53 'prefix' => 'acf',
54 'name' => '_post_content',
55 'key' => '_post_content',
56 'label' => __( 'Content', 'secure-custom-fields' ),
57 'type' => 'wysiwyg',
58 ),
59
60 '_validate_email' => array(
61 'prefix' => 'acf',
62 'name' => '_validate_email',
63 'key' => '_validate_email',
64 'label' => __( 'Validate Email', 'secure-custom-fields' ),
65 'type' => 'text',
66 'value' => '',
67 'wrapper' => array( 'style' => 'display:none !important;' ),
68 ),
69 );
70
71 return $this->fields;
72 }
73
74 /**
75 * Validates form arguments and applies defaults.
76 *
77 * @type function
78 * @date 28/2/17
79 * @since ACF 5.5.8
80 *
81 * @param $post_id (int)
82 * @return $post_id (int)
83 */
84 function validate_form( $args ) {
85
86 // defaults
87 // Todo: Allow message and button text to be generated by CPT settings.
88 $args = wp_parse_args(
89 $args,
90 array(
91 'id' => 'acf-form',
92 'post_id' => false,
93 'new_post' => false,
94 'field_groups' => false,
95 'fields' => false,
96 'post_title' => false,
97 'post_content' => false,
98 'form' => true,
99 'form_attributes' => array(),
100 'return' => add_query_arg( 'updated', 'true', acf_get_current_url() ),
101 'html_before_fields' => '',
102 'html_after_fields' => '',
103 'submit_value' => __( 'Update', 'secure-custom-fields' ),
104 'updated_message' => __( 'Post updated', 'secure-custom-fields' ),
105 'label_placement' => 'top',
106 'instruction_placement' => 'label',
107 'field_el' => 'div',
108 'uploader' => 'wp',
109 'honeypot' => true,
110 'html_updated_message' => '<div id="message" class="updated"><p>%s</p></div>', // 5.5.10
111 'html_submit_button' => '<input type="submit" class="acf-button button button-primary button-large" value="%s" />', // 5.5.10
112 'html_submit_spinner' => '<span class="acf-spinner"></span>', // 5.5.10
113 'kses' => true, // 5.6.5
114 )
115 );
116
117 $args['form_attributes'] = wp_parse_args(
118 $args['form_attributes'],
119 array(
120 'id' => $args['id'],
121 'class' => 'acf-form',
122 'action' => '',
123 'method' => 'post',
124 )
125 );
126
127 // filter post_id
128 $args['post_id'] = acf_get_valid_post_id( $args['post_id'] );
129
130 // new post?
131 if ( $args['post_id'] === 'new_post' ) {
132 $args['new_post'] = wp_parse_args(
133 $args['new_post'],
134 array(
135 'post_type' => 'post',
136 'post_status' => 'draft',
137 )
138 );
139 }
140
141 // filter
142 $args = apply_filters( 'acf/validate_form', $args );
143
144 // return
145 return $args;
146 }
147
148
149 /**
150 * description
151 *
152 * @type function
153 * @date 28/2/17
154 * @since ACF 5.5.8
155 *
156 * @param $post_id (int)
157 * @return $post_id (int)
158 */
159 function add_form( $args = array() ) {
160
161 // validate
162 $args = $this->validate_form( $args );
163
164 // append
165 $this->forms[ $args['id'] ] = $args;
166 }
167
168
169 /**
170 * description
171 *
172 * @type function
173 * @date 28/2/17
174 * @since ACF 5.5.8
175 *
176 * @param $post_id (int)
177 * @return $post_id (int)
178 */
179 function get_form( $id = '' ) {
180
181 // bail early if not set
182 if ( ! isset( $this->forms[ $id ] ) ) {
183 return false;
184 }
185
186 // return
187 return $this->forms[ $id ];
188 }
189
190 /**
191 * Returns all registered forms.
192 *
193 * @type function
194 * @date 28/2/17
195 * @since ACF 5.5.8
196 *
197 * @return forms (array)
198 */
199 function get_forms() {
200 return $this->forms;
201 }
202
203 /**
204 * This function will validate fields from the above array
205 *
206 * @type function
207 * @date 7/09/2016
208 * @since ACF 5.4.0
209 *
210 * @param $post_id (int)
211 * @return $post_id (int)
212 */
213 function validate_save_post() {
214
215 // register field if isset in $_POST
216 foreach ( $this->get_default_fields() as $k => $field ) {
217
218 // bail early if no in $_POST
219 if ( ! isset( $_POST['acf'][ $k ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
220 continue;
221 }
222
223 // register
224 acf_add_local_field( $field );
225 }
226
227 // honeypot
228 if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
229
230 acf_add_validation_error( '', __( 'Spam Detected', 'secure-custom-fields' ) );
231 }
232 }
233
234
235 /**
236 * description
237 *
238 * @type function
239 * @date 7/09/2016
240 * @since ACF 5.4.0
241 *
242 * @param $post_id (int)
243 * @return $post_id (int)
244 */
245 function pre_save_post( $post_id, $form ) {
246
247 // vars
248 $save = array(
249 'ID' => 0,
250 );
251
252 // determine save data
253 if ( is_numeric( $post_id ) ) {
254
255 // update post
256 $save['ID'] = $post_id;
257 } elseif ( $post_id == 'new_post' ) {
258
259 // merge in new post data
260 $save = array_merge( $save, $form['new_post'] );
261 } else {
262
263 // not post
264 return $post_id;
265 }
266
267 // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().
268 // Always extract the special _post_title / _post_content fields from $_POST['acf'] so they
269 // cannot leak into acf_update_values() downstream, but only apply them to the post when the
270 // form was rendered with the corresponding option enabled (mirrors render_form()).
271 if ( isset( $_POST['acf']['_post_title'] ) ) {
272 $post_title = acf_extract_var( $_POST['acf'], '_post_title' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- Sanitized by WP when saved; wp_insert_post / wp_update_post expect slashed input.
273 if ( ! empty( $form['post_title'] ) ) {
274 $save['post_title'] = $post_title;
275 }
276 }
277
278 if ( isset( $_POST['acf']['_post_content'] ) ) {
279 $post_content = acf_extract_var( $_POST['acf'], '_post_content' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- Sanitized by WP when saved; wp_insert_post / wp_update_post expect slashed input.
280 if ( ! empty( $form['post_content'] ) ) {
281 $save['post_content'] = $post_content;
282 }
283 }
284 // phpcs:enable WordPress.Security.NonceVerification.Missing
285
286 // honeypot
287 if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
288 return false;
289 }
290
291 // validate
292 if ( count( $save ) == 1 ) {
293 return $post_id;
294 }
295
296 // save
297 if ( $save['ID'] ) {
298 wp_update_post( $save );
299 } else {
300 $post_id = wp_insert_post( $save );
301 }
302
303 // return
304 return $post_id;
305 }
306
307
308 /**
309 * This function will enqueue a form
310 *
311 * @type function
312 * @date 7/09/2016
313 * @since ACF 5.4.0
314 *
315 * @param $post_id (int)
316 * @return $post_id (int)
317 */
318 function enqueue_form() {
319
320 // check
321 $this->check_submit_form();
322
323 // load acf scripts
324 acf_enqueue_scripts();
325 }
326
327
328 /**
329 * This function will maybe submit form data
330 *
331 * @type function
332 * @date 3/3/17
333 * @since ACF 5.5.10
334 *
335 * @param n/a
336 * @return n/a
337 */
338 function check_submit_form() {
339
340 // Verify nonce.
341 if ( ! acf_verify_nonce( 'acf_form' ) ) {
342 return false;
343 }
344
345 // Confirm form was submit.
346 if ( ! isset( $_POST['_acf_form'] ) ) {
347 return false;
348 }
349
350 // Load registered form using id.
351 $form = $this->get_form( acf_sanitize_request_args( $_POST['_acf_form'] ) );
352
353 // Fallback to encrypted JSON.
354 if ( ! $form ) {
355 $form = json_decode( acf_decrypt( sanitize_text_field( $_POST['_acf_form'] ) ), true );
356 if ( ! $form ) {
357 return false;
358 }
359 }
360
361 // Run kses on all $_POST data.
362 if ( $form['kses'] && isset( $_POST['acf'] ) ) {
363 $_POST['acf'] = wp_kses_post_deep( $_POST['acf'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- False positive.
364 }
365
366 // Validate data and show errors.
367 // Todo: Return WP_Error and show above form, keeping input values.
368 acf_validate_save_post( true );
369
370 // Submit form.
371 $this->submit_form( $form );
372 }
373
374
375 /**
376 * This function will submit form data
377 *
378 * @type function
379 * @date 3/3/17
380 * @since ACF 5.5.10
381 *
382 * @param n/a
383 * @return n/a
384 */
385 function submit_form( $form ) {
386
387 // filter
388 $form = apply_filters( 'acf/pre_submit_form', $form );
389
390 // vars
391 $post_id = acf_maybe_get( $form, 'post_id', 0 );
392
393 // add global for backwards compatibility
394 $GLOBALS['acf_form'] = $form;
395
396 // allow for custom save
397 $post_id = apply_filters( 'acf/pre_save_post', $post_id, $form );
398
399 // Restrict $_POST['acf'] to the field keys the form actually exposed, so the
400 // save path cannot accept values for fields the form did not render.
401 // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().
402 if ( isset( $_POST['acf'] ) && is_array( $_POST['acf'] ) ) {
403 $allowed_keys = $this->get_allowed_field_keys( $form );
404 $_POST['acf'] = array_intersect_key( $_POST['acf'], array_flip( $allowed_keys ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- Sanitized downstream; save pipeline expects slashed input.
405 }
406 // phpcs:enable WordPress.Security.NonceVerification.Missing
407
408 // save
409 acf_save_post( $post_id );
410
411 // restore form (potentially modified)
412 $form = $GLOBALS['acf_form'];
413
414 // action
415 do_action( 'acf/submit_form', $form, $post_id );
416
417 // vars
418 $return = acf_maybe_get( $form, 'return', '' );
419
420 // redirect
421 if ( $return ) {
422
423 // update %placeholders%
424 $return = str_replace( '%post_id%', $post_id, $return );
425 $return = str_replace( '%post_url%', get_permalink( $post_id ), $return );
426
427 // redirect
428 wp_redirect( $return ); //phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect -- unsafe redirects allowed.
429 exit;
430 }
431 }
432
433
434 /**
435 * Returns the fields a given form configuration will expose, mirroring the
436 * selection logic used by render_form().
437 *
438 * Used by render_form() to discover what to render, and by submit_form() to
439 * derive the set of $_POST['acf'] keys the save path will accept.
440 *
441 * @since SCF 6.8.5
442 *
443 * @param array $args The validated form configuration.
444 * @return array
445 */
446 protected function get_form_fields( array $args ): array {
447 $fields = array();
448 $field_groups = array();
449 $post_id = $args['post_id'];
450
451 // Prevent ACF from loading values for "new_post".
452 if ( 'new_post' === $post_id ) {
453 $post_id = false;
454 }
455
456 // Register local default fields so the special _post_title / _post_content / _validate_email
457 // keys are resolvable via acf_get_field().
458 foreach ( $this->get_default_fields() as $field ) {
459 acf_add_local_field( $field );
460 }
461
462 // Append post_title field.
463 if ( $args['post_title'] ) {
464 $fields[] = acf_get_field( '_post_title' );
465 }
466
467 // Append post_content field.
468 if ( $args['post_content'] ) {
469 $fields[] = acf_get_field( '_post_content' );
470 }
471
472 // Load specific fields.
473 if ( $args['fields'] ) {
474
475 // Lookup fields using $strict = false for better compatibility with field names.
476 foreach ( $args['fields'] as $selector ) {
477 $fields[] = acf_maybe_get_field( $selector, $post_id, false );
478 }
479
480 // Load specific field groups.
481 } elseif ( $args['field_groups'] ) {
482 foreach ( $args['field_groups'] as $selector ) {
483 $field_groups[] = acf_get_field_group( $selector );
484 }
485
486 // Load fields for the given "new_post" args.
487 } elseif ( 'new_post' === $args['post_id'] ) {
488 $field_groups = acf_get_field_groups( $args['new_post'] );
489
490 // Load fields for the given "post_id" arg.
491 } else {
492 $field_groups = acf_get_field_groups(
493 array(
494 'post_id' => $args['post_id'],
495 )
496 );
497 }
498
499 // Load fields from the found field groups.
500 if ( $field_groups ) {
501 foreach ( $field_groups as $field_group ) {
502 $_fields = acf_get_fields( $field_group );
503 if ( $_fields ) {
504 foreach ( $_fields as $_field ) {
505 $fields[] = $_field;
506 }
507 }
508 }
509 }
510
511 // Add honeypot field.
512 if ( $args['honeypot'] ) {
513 $fields[] = acf_get_field( '_validate_email' );
514 }
515
516 return array_filter( $fields );
517 }
518
519 /**
520 * Returns the top-level $_POST['acf'] keys a given form configuration will accept on save.
521 *
522 * Derived from the same field discovery render_form() uses, so the set of save-acceptable
523 * keys matches the set of keys the form actually rendered. For seamless clone fields whose
524 * subfield input names nest under the parent clone's key (e.g. acf[clone_key][subkey]),
525 * the parent's top-level key is what gets returned.
526 *
527 * @since SCF 6.8.5
528 *
529 * @param array $form The validated form configuration.
530 * @return array
531 */
532 public function get_allowed_field_keys( array $form ): array {
533 $keys = array();
534
535 foreach ( $this->get_form_fields( $form ) as $field ) {
536 $prefix = $field['prefix'] ?? 'acf';
537
538 if ( 'acf' === $prefix ) {
539 if ( ! empty( $field['key'] ) ) {
540 $keys[] = $field['key'];
541 }
542 } elseif ( preg_match( '/^acf\[([^]]+)]$/', $prefix, $matches ) ) {
543 $keys[] = $matches[1];
544 }
545 }
546
547 $keys = array_values( array_unique( array_filter( $keys ) ) );
548
549 /**
550 * Filters the list of $_POST['acf'] keys a front-end form submission is allowed to save.
551 *
552 * Use this to permit additional field keys when a developer dynamically injects fields
553 * into a form via JavaScript that aren't part of the form's declared field configuration.
554 *
555 * @since SCF 6.8.5
556 *
557 * @param array $keys The allowed top-level $_POST['acf'] keys.
558 * @param array $form The validated form configuration.
559 */
560 $keys = apply_filters( 'acf/form/allowed_field_keys', $keys, $form );
561
562 // Re-normalize after the filter so a misbehaving callback can't break array_flip()
563 // downstream in submit_form() with non-scalar or empty values.
564 $keys = array_filter( (array) $keys, 'is_scalar' );
565 return array_values( array_unique( array_filter( array_map( 'strval', $keys ) ) ) );
566 }
567
568 /**
569 * Renders a front-end ACF form.
570 *
571 * Accepts either an array of form configuration (validated via validate_form()) or the
572 * string id of a form previously registered with acf_register_form(). Outputs the form
573 * HTML directly.
574 *
575 * @since ACF 5.4.0
576 *
577 * @param array|string $args Form configuration array, or the id of a registered form.
578 * @return false|void False if a registered form id was passed and no matching form exists;
579 * otherwise outputs the form and returns no value.
580 */
581 public function render_form( $args = array() ) {
582
583 // Vars.
584 $is_registered = false;
585
586 // Allow form settings to be directly provided.
587 if ( is_array( $args ) ) {
588 $args = $this->validate_form( $args );
589
590 // Otherwise, lookup registered form.
591 } else {
592 $is_registered = true;
593 $args = $this->get_form( $args );
594 if ( ! $args ) {
595 return false;
596 }
597 }
598
599 // Extract vars.
600 $post_id = $args['post_id'];
601
602 // Prevent ACF from loading values for "new_post".
603 if ( 'new_post' === $post_id ) {
604 $post_id = false;
605 }
606
607 // Set uploader type.
608 acf_update_setting( 'uploader', $args['uploader'] );
609
610 // Discover the fields this form will expose.
611 $fields = $this->get_form_fields( $args );
612
613 // Load values for the special _post_title / _post_content fields so they
614 // render pre-populated with the current post's data.
615 foreach ( $fields as &$field ) {
616 if ( ! isset( $field['key'] ) ) {
617 continue;
618 }
619 if ( '_post_title' === $field['key'] ) {
620 $field['value'] = $post_id ? get_post_field( 'post_title', $post_id ) : '';
621 } elseif ( '_post_content' === $field['key'] ) {
622 $field['value'] = $post_id ? get_post_field( 'post_content', $post_id ) : '';
623 }
624 }
625 unset( $field );
626
627 // Display updated_message
628 if ( ! empty( $_GET['updated'] ) && $args['updated_message'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Used as a flag; data not used.
629 printf( $args['html_updated_message'], $args['updated_message'] ); //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers.
630 }
631
632 // display form
633 if ( $args['form'] ) : ?>
634 <form <?php echo acf_esc_attrs( $args['form_attributes'] ); ?>>
635 <?php
636 endif;
637
638 // Render hidde form data.
639 acf_form_data(
640 array(
641 'screen' => 'acf_form',
642 'post_id' => $args['post_id'],
643 'form' => $is_registered ? $args['id'] : acf_encrypt( json_encode( $args ) ),
644 )
645 );
646
647 ?>
648 <div class="acf-fields acf-form-fields -<?php echo esc_attr( $args['label_placement'] ); ?>">
649 <?php echo $args['html_before_fields']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
650 <?php acf_render_fields( $fields, $post_id, $args['field_el'], $args['instruction_placement'] ); ?>
651 <?php echo $args['html_after_fields']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
652 </div>
653 <?php if ( $args['form'] ) : ?>
654 <div class="acf-form-submit">
655 <?php printf( $args['html_submit_button'], $args['submit_value'] ); ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
656 <?php echo $args['html_submit_spinner']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
657 </div>
658 </form>
659 <?php endif;
660 }
661 }
662
663 // initialize
664 acf()->form_front = new acf_form_front();
665 endif; // class_exists check
666
667
668 /**
669 * Functions
670 *
671 * alias of acf()->form->functions
672 *
673 * @type function
674 * @date 11/06/2014
675 * @since ACF 5.0.0
676 *
677 * @param n/a
678 * @return n/a
679 */
680 function acf_form_head() {
681
682 acf()->form_front->enqueue_form();
683 }
684
685 function acf_form( $args = array() ) {
686
687 acf()->form_front->render_form( $args );
688 }
689
690 function acf_get_form( $id = '' ) {
691
692 return acf()->form_front->get_form( $id );
693 }
694
695 function acf_get_forms() {
696 return acf()->form_front->get_forms();
697 }
698
699 function acf_register_form( $args ) {
700
701 acf()->form_front->add_form( $args );
702 }
703
704 ?>
705