PluginProbe ʕ •ᴥ•ʔ
Secure Custom Fields / trunk
Secure Custom Fields vtrunk
6.9.1 6.9.0 6.8.9 6.8.7 6.8.8 6.8.6 6.8.4 6.8.5 trunk 6.4.0-beta1 6.4.0-beta2 6.4.1 6.4.1-beta3 6.4.1-beta4 6.4.1-beta5 6.4.1-beta6 6.4.1-beta7 6.4.2 6.5.0 6.5.1 6.5.2 6.5.3 6.5.4 6.5.5 6.5.6 6.5.7 6.6.0 6.7.0 6.7.1 6.8.0 6.8.1 6.8.2 6.8.3
secure-custom-fields / includes / forms / form-front.php
secure-custom-fields / includes / forms Last commit date
WC_Order.php 9 hours ago form-attachment.php 1 year ago form-comment.php 7 months ago form-customizer.php 10 months ago form-front.php 3 weeks ago form-gutenberg.php 1 year ago form-nav-menu.php 7 months ago form-post.php 1 month ago form-taxonomy.php 2 weeks ago form-user.php 7 months ago form-widget.php 10 months ago index.php 1 year ago
form-front.php
886 lines
1 <?php
2
3 if ( ! defined( 'ABSPATH' ) ) {
4 exit; // Exit if accessed directly
5 }
6
7 if ( ! class_exists( 'acf_form_front' ) ) :
8 class acf_form_front {
9
10 /**
11 * An array of registered form settings.
12 *
13 * @var array
14 */
15 private $forms = array();
16
17 /**
18 * An array of default fields.
19 *
20 * @var array
21 */
22 public $fields = array();
23
24 /**
25 * Per-request render id, shared across every render_form() call in this request.
26 *
27 * @var string|null
28 */
29 private $render_id = null;
30
31 /**
32 * Constructs the class.
33 *
34 * @since ACF 5.0.0
35 */
36 public function __construct() {
37 add_action( 'acf/validate_save_post', array( $this, 'validate_save_post' ), 1 );
38 add_filter( 'acf/pre_save_post', array( $this, 'pre_save_post' ), 5, 2 );
39 }
40
41 /**
42 * Returns fields used by frontend forms.
43 *
44 * @since SCF 6.5
45 *
46 * @return array
47 */
48 public function get_default_fields(): array {
49 $this->fields = array(
50 '_post_title' => array(
51 'prefix' => 'acf',
52 'name' => '_post_title',
53 'key' => '_post_title',
54 'label' => __( 'Title', 'secure-custom-fields' ),
55 'type' => 'text',
56 'required' => true,
57 ),
58
59 '_post_content' => array(
60 'prefix' => 'acf',
61 'name' => '_post_content',
62 'key' => '_post_content',
63 'label' => __( 'Content', 'secure-custom-fields' ),
64 'type' => 'wysiwyg',
65 ),
66
67 '_validate_email' => array(
68 'prefix' => 'acf',
69 'name' => '_validate_email',
70 'key' => '_validate_email',
71 'label' => __( 'Validate Email', 'secure-custom-fields' ),
72 'type' => 'text',
73 'value' => '',
74 'wrapper' => array( 'style' => 'display:none !important;' ),
75 ),
76 );
77
78 return $this->fields;
79 }
80
81 /**
82 * Validates form arguments and applies defaults.
83 *
84 * @type function
85 * @date 28/2/17
86 * @since ACF 5.5.8
87 *
88 * @param $post_id (int)
89 * @return $post_id (int)
90 */
91 function validate_form( $args ) {
92
93 // defaults
94 // Todo: Allow message and button text to be generated by CPT settings.
95 $args = wp_parse_args(
96 $args,
97 array(
98 'id' => 'acf-form',
99 'post_id' => false,
100 'new_post' => false,
101 'field_groups' => false,
102 'fields' => false,
103 'post_title' => false,
104 'post_content' => false,
105 'form' => true,
106 'form_attributes' => array(),
107 'return' => add_query_arg( 'updated', 'true', acf_get_current_url() ),
108 'html_before_fields' => '',
109 'html_after_fields' => '',
110 'submit_value' => __( 'Update', 'secure-custom-fields' ),
111 'updated_message' => __( 'Post updated', 'secure-custom-fields' ),
112 'label_placement' => 'top',
113 'instruction_placement' => 'label',
114 'field_el' => 'div',
115 'uploader' => 'wp',
116 'honeypot' => true,
117 'html_updated_message' => '<div id="message" class="updated"><p>%s</p></div>', // 5.5.10
118 'html_submit_button' => '<input type="submit" class="acf-button button button-primary button-large" value="%s" />', // 5.5.10
119 'html_submit_spinner' => '<span class="acf-spinner"></span>', // 5.5.10
120 'kses' => true, // 5.6.5
121 )
122 );
123
124 $args['form_attributes'] = wp_parse_args(
125 $args['form_attributes'],
126 array(
127 'id' => $args['id'],
128 'class' => 'acf-form',
129 'action' => '',
130 'method' => 'post',
131 )
132 );
133
134 // filter post_id
135 $args['post_id'] = acf_get_valid_post_id( $args['post_id'] );
136
137 // new post?
138 if ( $args['post_id'] === 'new_post' ) {
139 $args['new_post'] = wp_parse_args(
140 $args['new_post'],
141 array(
142 'post_type' => 'post',
143 'post_status' => 'draft',
144 )
145 );
146 }
147
148 // filter
149 $args = apply_filters( 'acf/validate_form', $args );
150
151 // return
152 return $args;
153 }
154
155
156 /**
157 * description
158 *
159 * @type function
160 * @date 28/2/17
161 * @since ACF 5.5.8
162 *
163 * @param $post_id (int)
164 * @return $post_id (int)
165 */
166 function add_form( $args = array() ) {
167
168 // validate
169 $args = $this->validate_form( $args );
170
171 // append
172 $this->forms[ $args['id'] ] = $args;
173 }
174
175
176 /**
177 * description
178 *
179 * @type function
180 * @date 28/2/17
181 * @since ACF 5.5.8
182 *
183 * @param $post_id (int)
184 * @return $post_id (int)
185 */
186 function get_form( $id = '' ) {
187
188 // bail early if not set
189 if ( ! isset( $this->forms[ $id ] ) ) {
190 return false;
191 }
192
193 // return
194 return $this->forms[ $id ];
195 }
196
197 /**
198 * Returns all registered forms.
199 *
200 * @type function
201 * @date 28/2/17
202 * @since ACF 5.5.8
203 *
204 * @return forms (array)
205 */
206 function get_forms() {
207 return $this->forms;
208 }
209
210 /**
211 * This function will validate fields from the above array
212 *
213 * @type function
214 * @date 7/09/2016
215 * @since ACF 5.4.0
216 *
217 * @param $post_id (int)
218 * @return $post_id (int)
219 */
220 function validate_save_post() {
221
222 // register field if isset in $_POST
223 foreach ( $this->get_default_fields() as $k => $field ) {
224
225 // bail early if no in $_POST
226 if ( ! isset( $_POST['acf'][ $k ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
227 continue;
228 }
229
230 // register
231 acf_add_local_field( $field );
232 }
233
234 // honeypot
235 if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
236
237 acf_add_validation_error( '', __( 'Spam Detected', 'secure-custom-fields' ) );
238 }
239 }
240
241
242 /**
243 * description
244 *
245 * @type function
246 * @date 7/09/2016
247 * @since ACF 5.4.0
248 *
249 * @param $post_id (int)
250 * @return $post_id (int)
251 */
252 function pre_save_post( $post_id, $form ) {
253
254 // vars
255 $save = array(
256 'ID' => 0,
257 );
258
259 // determine save data
260 if ( is_numeric( $post_id ) ) {
261
262 // update post
263 $save['ID'] = $post_id;
264 } elseif ( $post_id == 'new_post' ) {
265
266 // merge in new post data
267 $save = array_merge( $save, $form['new_post'] );
268 } else {
269
270 // not post
271 return $post_id;
272 }
273
274 // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().
275 // Always extract the special _post_title / _post_content fields from $_POST['acf'] so they
276 // cannot leak into acf_update_values() downstream, but only apply them to the post when the
277 // form was rendered with the corresponding option enabled (mirrors render_form()).
278 if ( isset( $_POST['acf']['_post_title'] ) ) {
279 $post_title = acf_extract_var( $_POST['acf'], '_post_title' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- Sanitized by WP when saved; wp_insert_post / wp_update_post expect slashed input.
280 if ( ! empty( $form['post_title'] ) ) {
281 $save['post_title'] = $post_title;
282 }
283 }
284
285 if ( isset( $_POST['acf']['_post_content'] ) ) {
286 $post_content = acf_extract_var( $_POST['acf'], '_post_content' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- Sanitized by WP when saved; wp_insert_post / wp_update_post expect slashed input.
287 if ( ! empty( $form['post_content'] ) ) {
288 $save['post_content'] = $post_content;
289 }
290 }
291 // phpcs:enable WordPress.Security.NonceVerification.Missing
292
293 // honeypot
294 if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
295 return false;
296 }
297
298 // validate
299 if ( count( $save ) == 1 ) {
300 return $post_id;
301 }
302
303 // save
304 if ( $save['ID'] ) {
305 wp_update_post( $save );
306 } else {
307 $post_id = wp_insert_post( $save );
308 }
309
310 // return
311 return $post_id;
312 }
313
314
315 /**
316 * This function will enqueue a form
317 *
318 * @type function
319 * @date 7/09/2016
320 * @since ACF 5.4.0
321 *
322 * @param $post_id (int)
323 * @return $post_id (int)
324 */
325 function enqueue_form() {
326
327 // check
328 $this->check_submit_form();
329
330 // load acf scripts
331 acf_enqueue_scripts();
332 }
333
334
335 /**
336 * This function will maybe submit form data
337 *
338 * @type function
339 * @date 3/3/17
340 * @since ACF 5.5.10
341 *
342 * @param n/a
343 * @return n/a
344 */
345 function check_submit_form() {
346
347 // Verify nonce.
348 if ( ! acf_verify_nonce( 'acf_form' ) ) {
349 return false;
350 }
351
352 // Confirm form was submit.
353 if ( ! isset( $_POST['_acf_form'] ) ) {
354 return false;
355 }
356
357 // Load registered form using id.
358 $form = $this->get_form( acf_sanitize_request_args( $_POST['_acf_form'] ) );
359
360 // Fallback to encrypted JSON.
361 if ( ! $form ) {
362 $form = json_decode( acf_decrypt( sanitize_text_field( $_POST['_acf_form'] ) ), true );
363 if ( ! $form ) {
364 return false;
365 }
366 }
367
368 $form = $this->merge_form_meta( $form );
369
370 // Run kses on all $_POST data.
371 if ( $form['kses'] && isset( $_POST['acf'] ) ) {
372 $_POST['acf'] = wp_kses_post_deep( $_POST['acf'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- False positive.
373 }
374
375 // Validate data and show errors.
376 // Todo: Return WP_Error and show above form, keeping input values.
377 acf_validate_save_post( true );
378
379 // Submit form.
380 $this->submit_form( $form );
381 }
382
383
384 /**
385 * This function will submit form data
386 *
387 * @type function
388 * @date 3/3/17
389 * @since ACF 5.5.10
390 *
391 * @param n/a
392 * @return n/a
393 */
394 function submit_form( $form ) {
395
396 // filter
397 $form = apply_filters( 'acf/pre_submit_form', $form );
398
399 // vars
400 $post_id = acf_maybe_get( $form, 'post_id', 0 );
401
402 // add global for backwards compatibility
403 $GLOBALS['acf_form'] = $form;
404
405 // allow for custom save
406 $post_id = apply_filters( 'acf/pre_save_post', $post_id, $form );
407
408 // Restrict $_POST['acf'] to the field keys the form actually exposed, so the
409 // save path cannot accept values for fields the form did not render.
410 // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().
411 if ( isset( $_POST['acf'] ) && is_array( $_POST['acf'] ) ) {
412 $allowed_keys = $this->get_allowed_field_keys( $form );
413 $_POST['acf'] = array_intersect_key( $_POST['acf'], array_flip( $allowed_keys ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- Sanitized downstream; save pipeline expects slashed input.
414 }
415 // phpcs:enable WordPress.Security.NonceVerification.Missing
416
417 // save
418 acf_save_post( $post_id );
419
420 // restore form (potentially modified)
421 $form = $GLOBALS['acf_form'];
422
423 // action
424 do_action( 'acf/submit_form', $form, $post_id );
425
426 // vars
427 $return = acf_maybe_get( $form, 'return', '' );
428
429 // redirect
430 if ( $return ) {
431
432 // update %placeholders%
433 $return = str_replace( '%post_id%', $post_id, $return );
434 $return = str_replace( '%post_url%', get_permalink( $post_id ), $return );
435
436 // redirect
437 wp_redirect( $return ); //phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect -- unsafe redirects allowed.
438 exit;
439 }
440 }
441
442 /**
443 * Returns the per-request render ID, generating one if necessary.
444 *
445 * @since SCF 6.8.8
446 *
447 * @return string
448 */
449 protected function get_render_id(): string {
450 if ( null === $this->render_id ) {
451 $this->render_id = wp_generate_uuid4();
452 }
453 return $this->render_id;
454 }
455
456 /**
457 * Folds metadata from `_acf_form_meta[]` inputs into the primary form
458 * configuration so the multi-`acf_form()`-in-one-outer-`<form>` pattern works.
459 *
460 * Non-field request-level args (`post_id`, `return`, `new_post`, `kses`) stay
461 * "last wins" via the primary form.
462 *
463 * @since SCF 6.8.8
464 *
465 * @param array $form The primary form configuration loaded from `_acf_form`.
466 * @return array The primary form with allowed-key extras and OR'd title/content flags.
467 */
468 protected function merge_form_meta( array $form ): array {
469 // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified above in check_submit_form().
470 if ( empty( $_POST['_acf_form_meta'] ) || ! is_array( $_POST['_acf_form_meta'] ) ) {
471 return $form;
472 }
473
474 if ( empty( $_POST['_acf_render_id'] ) || ! is_scalar( $_POST['_acf_render_id'] ) ) {
475 return $form;
476 }
477 $expected_render_id = sanitize_text_field( wp_unslash( $_POST['_acf_render_id'] ) );
478
479 // wp_unslash only — sanitize_text_field would desync from the raw
480 // $acf_form_value hashed render-side.
481 $primary_form_value = ( isset( $_POST['_acf_form'] ) && is_scalar( $_POST['_acf_form'] ) )
482 ? (string) wp_unslash( $_POST['_acf_form'] ) // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Must match render-side bytes hashed into the form anchor.
483 : '';
484
485 $expected_anchor = hash( 'sha256', $primary_form_value );
486 $primary_post_id = isset( $form['post_id'] ) ? (string) $form['post_id'] : '';
487
488 /**
489 * Filters how long a `_acf_form_meta[]` payload remains valid after the page that
490 * emitted it was rendered.
491 *
492 * @since SCF 6.8.8
493 *
494 * @param int $ttl Allowed age of a meta payload, in seconds.
495 */
496 $ttl = (int) apply_filters( 'acf/form/meta_ttl', DAY_IN_SECONDS );
497 $now = time();
498
499 $valid_metas = array();
500 $primary_present = false;
501
502 foreach ( $_POST['_acf_form_meta'] as $token ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- Each $token is sanitized below before use.
503 if ( ! is_scalar( $token ) ) {
504 continue;
505 }
506
507 $decoded = json_decode( acf_decrypt( sanitize_text_field( $token ) ), true );
508 if ( ! is_array( $decoded ) ) {
509 continue;
510 }
511
512 if ( empty( $decoded['render_id'] ) || ! is_string( $decoded['render_id'] ) ) {
513 continue;
514 }
515
516 if ( ! hash_equals( $expected_render_id, $decoded['render_id'] ) ) {
517 continue;
518 }
519
520 if ( ! isset( $decoded['issued_at'] ) || ! is_numeric( $decoded['issued_at'] ) ) {
521 continue;
522 }
523 if ( ( $now - (int) $decoded['issued_at'] ) >= $ttl ) {
524 continue;
525 }
526
527 if ( ! empty( $decoded['form_anchor'] )
528 && is_string( $decoded['form_anchor'] )
529 && hash_equals( $expected_anchor, $decoded['form_anchor'] )
530 ) {
531 $primary_present = true;
532 }
533
534 $valid_metas[] = $decoded;
535 }
536
537 if ( ! $primary_present ) {
538 return $form;
539 }
540
541 $extra_keys = array();
542
543 foreach ( $valid_metas as $decoded ) {
544 $target_post_id = isset( $decoded['target_post_id'] ) ? (string) $decoded['target_post_id'] : '';
545 if ( ! hash_equals( $primary_post_id, $target_post_id ) ) {
546 continue;
547 }
548
549 if ( ! empty( $decoded['allowed_field_keys'] ) && is_array( $decoded['allowed_field_keys'] ) ) {
550 foreach ( $decoded['allowed_field_keys'] as $key ) {
551 if ( is_scalar( $key ) ) {
552 $extra_keys[] = (string) $key;
553 }
554 }
555 }
556
557 if ( ! empty( $decoded['post_title'] ) ) {
558 $form['post_title'] = true;
559 }
560 if ( ! empty( $decoded['post_content'] ) ) {
561 $form['post_content'] = true;
562 }
563 }
564 // phpcs:enable WordPress.Security.NonceVerification.Missing
565
566 if ( $extra_keys ) {
567 $form['_additional_allowed_field_keys'] = array_values( array_unique( $extra_keys ) );
568 }
569
570 return $form;
571 }
572
573 /**
574 * Returns the fields a given form configuration will expose, mirroring the
575 * selection logic used by render_form().
576 *
577 * Used by render_form() to discover what to render, and by submit_form() to
578 * derive the set of $_POST['acf'] keys the save path will accept.
579 *
580 * @since SCF 6.8.5
581 *
582 * @param array $args The validated form configuration.
583 * @return array
584 */
585 protected function get_form_fields( array $args ): array {
586 $fields = array();
587 $field_groups = array();
588 $post_id = $args['post_id'];
589
590 // Prevent ACF from loading values for "new_post".
591 if ( 'new_post' === $post_id ) {
592 $post_id = false;
593 }
594
595 // Register local default fields so the special _post_title / _post_content / _validate_email
596 // keys are resolvable via acf_get_field().
597 foreach ( $this->get_default_fields() as $field ) {
598 acf_add_local_field( $field );
599 }
600
601 // Append post_title field.
602 if ( $args['post_title'] ) {
603 $fields[] = acf_get_field( '_post_title' );
604 }
605
606 // Append post_content field.
607 if ( $args['post_content'] ) {
608 $fields[] = acf_get_field( '_post_content' );
609 }
610
611 // Load specific fields.
612 if ( $args['fields'] ) {
613 foreach ( $args['fields'] as $selector ) {
614 if ( $post_id ) {
615 // Lookup fields using $strict = false for better compatibility with field names.
616 $fields[] = acf_maybe_get_field( $selector, $post_id, false );
617 } else {
618 // No post to resolve meta references against — skip acf_maybe_get_field()'s
619 // post_id resolution, which can fatal in get_queried_object() if submit_form()
620 // runs before WordPress's main query is built.
621 $fields[] = acf_get_field( $selector );
622 }
623 }
624
625 // Load specific field groups.
626 } elseif ( $args['field_groups'] ) {
627 foreach ( $args['field_groups'] as $selector ) {
628 $field_groups[] = acf_get_field_group( $selector );
629 }
630
631 // Load fields for the given "new_post" args.
632 } elseif ( 'new_post' === $args['post_id'] ) {
633 $field_groups = acf_get_field_groups( $args['new_post'] );
634
635 // Load fields for the given "post_id" arg.
636 } else {
637 $field_groups = acf_get_field_groups(
638 array(
639 'post_id' => $args['post_id'],
640 )
641 );
642 }
643
644 // Load fields from the found field groups.
645 if ( $field_groups ) {
646 foreach ( $field_groups as $field_group ) {
647 $_fields = acf_get_fields( $field_group );
648 if ( $_fields ) {
649 foreach ( $_fields as $_field ) {
650 $fields[] = $_field;
651 }
652 }
653 }
654 }
655
656 // Add honeypot field.
657 if ( $args['honeypot'] ) {
658 $fields[] = acf_get_field( '_validate_email' );
659 }
660
661 return array_filter( $fields );
662 }
663
664 /**
665 * Returns the top-level $_POST['acf'] keys a given form configuration will accept on save.
666 *
667 * Derived from the same field discovery render_form() uses, so the set of save-acceptable
668 * keys matches the set of keys the form actually rendered. For seamless clone fields whose
669 * subfield input names nest under the parent clone's key (e.g. acf[clone_key][subkey]),
670 * the parent's top-level key is what gets returned.
671 *
672 * @since SCF 6.8.5
673 *
674 * @param array $form The validated form configuration.
675 * @param array $fields Optional pre-discovered fields for this form to avoid a
676 * redundant get_form_fields() call when the caller already has them.
677 * @return array
678 */
679 public function get_allowed_field_keys( array $form, array $fields = array() ): array {
680 $keys = array();
681 $fields = ! empty( $fields ) ? $fields : $this->get_form_fields( $form );
682
683 foreach ( $fields as $field ) {
684 $prefix = $field['prefix'] ?? 'acf';
685
686 if ( 'acf' === $prefix ) {
687 if ( ! empty( $field['key'] ) ) {
688 $keys[] = $field['key'];
689 }
690 } elseif ( preg_match( '/^acf\[([^]]+)]$/', $prefix, $matches ) ) {
691 $keys[] = $matches[1];
692 }
693 }
694
695 // Include keys folded in from sibling acf_form() calls on the same page.
696 if ( ! empty( $form['_additional_allowed_field_keys'] ) && is_array( $form['_additional_allowed_field_keys'] ) ) {
697 $keys = array_merge( $keys, $form['_additional_allowed_field_keys'] );
698 }
699
700 $keys = array_values( array_unique( array_filter( $keys ) ) );
701
702 /**
703 * Filters the list of $_POST['acf'] keys a front-end form submission is allowed to save.
704 *
705 * Use this to permit additional field keys when a developer dynamically injects fields
706 * into a form via JavaScript that aren't part of the form's declared field configuration.
707 *
708 * @since SCF 6.8.5
709 *
710 * @param array $keys The allowed top-level $_POST['acf'] keys.
711 * @param array $form The validated form configuration.
712 */
713 $keys = apply_filters( 'acf/form/allowed_field_keys', $keys, $form );
714
715 // Re-normalize after the filter so a misbehaving callback can't break array_flip()
716 // downstream in submit_form() with non-scalar or empty values.
717 $keys = array_filter( (array) $keys, 'is_scalar' );
718 return array_values( array_unique( array_filter( array_map( 'strval', $keys ) ) ) );
719 }
720
721 /**
722 * Renders a front-end ACF form.
723 *
724 * Accepts either an array of form configuration (validated via validate_form()) or the
725 * string id of a form previously registered with acf_register_form(). Outputs the form
726 * HTML directly.
727 *
728 * @since ACF 5.4.0
729 *
730 * @param array|string $args Form configuration array, or the id of a registered form.
731 * @return false|void False if a registered form id was passed and no matching form exists;
732 * otherwise outputs the form and returns no value.
733 */
734 public function render_form( $args = array() ) {
735
736 // Vars.
737 $is_registered = false;
738
739 // Allow form settings to be directly provided.
740 if ( is_array( $args ) ) {
741 $args = $this->validate_form( $args );
742
743 // Otherwise, lookup registered form.
744 } else {
745 $is_registered = true;
746 $args = $this->get_form( $args );
747 if ( ! $args ) {
748 return false;
749 }
750 }
751
752 // Extract vars.
753 $post_id = $args['post_id'];
754
755 // Prevent ACF from loading values for "new_post".
756 if ( 'new_post' === $post_id ) {
757 $post_id = false;
758 }
759
760 // Set uploader type.
761 acf_update_setting( 'uploader', $args['uploader'] );
762
763 // Discover the fields this form will expose.
764 $fields = $this->get_form_fields( $args );
765
766 // Load values for the special _post_title / _post_content fields so they
767 // render pre-populated with the current post's data.
768 foreach ( $fields as &$field ) {
769 if ( ! isset( $field['key'] ) ) {
770 continue;
771 }
772 if ( '_post_title' === $field['key'] ) {
773 $field['value'] = $post_id ? get_post_field( 'post_title', $post_id ) : '';
774 } elseif ( '_post_content' === $field['key'] ) {
775 $field['value'] = $post_id ? get_post_field( 'post_content', $post_id ) : '';
776 }
777 }
778 unset( $field );
779
780 // Display updated_message
781 if ( ! empty( $_GET['updated'] ) && $args['updated_message'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Used as a flag; data not used.
782 printf( $args['html_updated_message'], $args['updated_message'] ); //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers.
783 }
784
785 // display form
786 if ( $args['form'] ) : ?>
787 <form <?php echo acf_esc_attrs( $args['form_attributes'] ); ?>>
788 <?php
789 endif;
790
791 // Render hidden form data.
792 $render_id = $this->get_render_id();
793 $acf_form_value = $is_registered ? $args['id'] : acf_encrypt( wp_json_encode( $args ) );
794 acf_form_data(
795 array(
796 'screen' => 'acf_form',
797 'post_id' => $args['post_id'],
798 'form' => $acf_form_value,
799 'render_id' => $render_id,
800 )
801 );
802
803 /**
804 * Emit a per-form metadata token. PHP keeps only the last `_acf_form` input
805 * after browser-level dedup, so multiple acf_form() calls inside a single
806 * outer <form> would otherwise lose all but one form's allow-list —
807 * `_acf_form_meta[]` uses the array form to survive that and carries each
808 * form's contribution.
809 */
810 $meta = wp_json_encode(
811 array(
812 'render_id' => $render_id,
813 'form_anchor' => hash( 'sha256', (string) $acf_form_value ),
814 'target_post_id' => (string) $args['post_id'],
815 'issued_at' => time(),
816 'allowed_field_keys' => $this->get_allowed_field_keys( $args, $fields ),
817 'post_title' => (bool) $args['post_title'],
818 'post_content' => (bool) $args['post_content'],
819 )
820 );
821 acf_hidden_input(
822 array(
823 'name' => '_acf_form_meta[]',
824 'value' => acf_encrypt( $meta ),
825 )
826 );
827
828 ?>
829 <div class="acf-fields acf-form-fields -<?php echo esc_attr( $args['label_placement'] ); ?>">
830 <?php echo $args['html_before_fields']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
831 <?php acf_render_fields( $fields, $post_id, $args['field_el'], $args['instruction_placement'] ); ?>
832 <?php echo $args['html_after_fields']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
833 </div>
834 <?php if ( $args['form'] ) : ?>
835 <div class="acf-form-submit">
836 <?php printf( $args['html_submit_button'], $args['submit_value'] ); ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
837 <?php echo $args['html_submit_spinner']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
838 </div>
839 </form>
840 <?php endif;
841 }
842 }
843
844 // initialize
845 acf()->form_front = new acf_form_front();
846 endif; // class_exists check
847
848
849 /**
850 * Functions
851 *
852 * alias of acf()->form->functions
853 *
854 * @type function
855 * @date 11/06/2014
856 * @since ACF 5.0.0
857 *
858 * @param n/a
859 * @return n/a
860 */
861 function acf_form_head() {
862
863 acf()->form_front->enqueue_form();
864 }
865
866 function acf_form( $args = array() ) {
867
868 acf()->form_front->render_form( $args );
869 }
870
871 function acf_get_form( $id = '' ) {
872
873 return acf()->form_front->get_form( $id );
874 }
875
876 function acf_get_forms() {
877 return acf()->form_front->get_forms();
878 }
879
880 function acf_register_form( $args ) {
881
882 acf()->form_front->add_form( $args );
883 }
884
885 ?>
886