initial
This commit is contained in:
@@ -0,0 +1,883 @@
|
||||
<?php
|
||||
/**
|
||||
* @package ACF
|
||||
* @author WP Engine
|
||||
*
|
||||
* © 2026 Advanced Custom Fields (ACF®). All rights reserved.
|
||||
* "ACF" is a trademark of WP Engine.
|
||||
* Licensed under the GNU General Public License v2 or later.
|
||||
* https://www.gnu.org/licenses/gpl-2.0.html
|
||||
*/
|
||||
|
||||
if ( ! defined( 'ABSPATH' ) ) {
|
||||
exit; // Exit if accessed directly
|
||||
}
|
||||
|
||||
if ( ! class_exists( 'acf_form_front' ) ) :
|
||||
class acf_form_front {
|
||||
|
||||
/**
|
||||
* An array of registered form settings.
|
||||
* @var array
|
||||
*/
|
||||
private $forms = array();
|
||||
|
||||
/**
|
||||
* An array of default fields.
|
||||
* @var array
|
||||
*/
|
||||
public $fields = array();
|
||||
|
||||
/**
|
||||
* Per-request render id, shared across every render_form() call in this request.
|
||||
*
|
||||
* @var string|null
|
||||
*/
|
||||
private $render_id = null;
|
||||
|
||||
/**
|
||||
* Constructs the class.
|
||||
*
|
||||
* @since 5.0.0
|
||||
*/
|
||||
public function __construct() {
|
||||
add_action( 'acf/validate_save_post', array( $this, 'validate_save_post' ), 1 );
|
||||
add_filter( 'acf/pre_save_post', array( $this, 'pre_save_post' ), 5, 2 );
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns fields used by frontend forms.
|
||||
*
|
||||
* @since 6.4
|
||||
*
|
||||
* @return array
|
||||
*/
|
||||
public function get_default_fields(): array {
|
||||
$this->fields = array(
|
||||
'_post_title' => array(
|
||||
'prefix' => 'acf',
|
||||
'name' => '_post_title',
|
||||
'key' => '_post_title',
|
||||
'label' => __( 'Title', 'acf' ),
|
||||
'type' => 'text',
|
||||
'required' => true,
|
||||
),
|
||||
|
||||
'_post_content' => array(
|
||||
'prefix' => 'acf',
|
||||
'name' => '_post_content',
|
||||
'key' => '_post_content',
|
||||
'label' => __( 'Content', 'acf' ),
|
||||
'type' => 'wysiwyg',
|
||||
),
|
||||
|
||||
'_validate_email' => array(
|
||||
'prefix' => 'acf',
|
||||
'name' => '_validate_email',
|
||||
'key' => '_validate_email',
|
||||
'label' => __( 'Validate Email', 'acf' ),
|
||||
'type' => 'text',
|
||||
'value' => '',
|
||||
'wrapper' => array( 'style' => 'display:none !important;' ),
|
||||
),
|
||||
);
|
||||
|
||||
return $this->fields;
|
||||
}
|
||||
|
||||
/**
|
||||
* description
|
||||
*
|
||||
* @type function
|
||||
* @date 28/2/17
|
||||
* @since 5.5.8
|
||||
*
|
||||
* @param $post_id (int)
|
||||
* @return $post_id (int)
|
||||
*/
|
||||
function validate_form( $args ) {
|
||||
|
||||
// defaults
|
||||
// Todo: Allow message and button text to be generated by CPT settings.
|
||||
$args = wp_parse_args(
|
||||
$args,
|
||||
array(
|
||||
'id' => 'acf-form',
|
||||
'post_id' => false,
|
||||
'new_post' => false,
|
||||
'field_groups' => false,
|
||||
'fields' => false,
|
||||
'post_title' => false,
|
||||
'post_content' => false,
|
||||
'form' => true,
|
||||
'form_attributes' => array(),
|
||||
'return' => add_query_arg( 'updated', 'true', acf_get_current_url() ),
|
||||
'html_before_fields' => '',
|
||||
'html_after_fields' => '',
|
||||
'submit_value' => __( 'Update', 'acf' ),
|
||||
'updated_message' => __( 'Post updated', 'acf' ),
|
||||
'label_placement' => 'top',
|
||||
'instruction_placement' => 'label',
|
||||
'field_el' => 'div',
|
||||
'uploader' => 'wp',
|
||||
'honeypot' => true,
|
||||
'html_updated_message' => '<div id="message" class="updated"><p>%s</p></div>', // 5.5.10
|
||||
'html_submit_button' => '<input type="submit" class="acf-button button button-primary button-large" value="%s" />', // 5.5.10
|
||||
'html_submit_spinner' => '<span class="acf-spinner"></span>', // 5.5.10
|
||||
'kses' => true, // 5.6.5
|
||||
)
|
||||
);
|
||||
|
||||
$args['form_attributes'] = wp_parse_args(
|
||||
$args['form_attributes'],
|
||||
array(
|
||||
'id' => $args['id'],
|
||||
'class' => 'acf-form',
|
||||
'action' => '',
|
||||
'method' => 'post',
|
||||
)
|
||||
);
|
||||
|
||||
// filter post_id
|
||||
$args['post_id'] = acf_get_valid_post_id( $args['post_id'] );
|
||||
|
||||
// new post?
|
||||
if ( $args['post_id'] === 'new_post' ) {
|
||||
$args['new_post'] = wp_parse_args(
|
||||
$args['new_post'],
|
||||
array(
|
||||
'post_type' => 'post',
|
||||
'post_status' => 'draft',
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
// filter
|
||||
$args = apply_filters( 'acf/validate_form', $args );
|
||||
|
||||
// return
|
||||
return $args;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* description
|
||||
*
|
||||
* @type function
|
||||
* @date 28/2/17
|
||||
* @since 5.5.8
|
||||
*
|
||||
* @param $post_id (int)
|
||||
* @return $post_id (int)
|
||||
*/
|
||||
function add_form( $args = array() ) {
|
||||
|
||||
// validate
|
||||
$args = $this->validate_form( $args );
|
||||
|
||||
// append
|
||||
$this->forms[ $args['id'] ] = $args;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* description
|
||||
*
|
||||
* @type function
|
||||
* @date 28/2/17
|
||||
* @since 5.5.8
|
||||
*
|
||||
* @param $post_id (int)
|
||||
* @return $post_id (int)
|
||||
*/
|
||||
function get_form( $id = '' ) {
|
||||
|
||||
// bail early if not set
|
||||
if ( ! isset( $this->forms[ $id ] ) ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// return
|
||||
return $this->forms[ $id ];
|
||||
}
|
||||
|
||||
function get_forms() {
|
||||
return $this->forms;
|
||||
}
|
||||
|
||||
/**
|
||||
* This function will validate fields from the above array
|
||||
*
|
||||
* @type function
|
||||
* @date 7/09/2016
|
||||
* @since 5.4.0
|
||||
*
|
||||
* @param $post_id (int)
|
||||
* @return $post_id (int)
|
||||
*/
|
||||
function validate_save_post() {
|
||||
|
||||
// register field if isset in $_POST
|
||||
foreach ( $this->get_default_fields() as $k => $field ) {
|
||||
|
||||
// bail early if no in $_POST
|
||||
if ( ! isset( $_POST['acf'][ $k ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
|
||||
continue;
|
||||
}
|
||||
|
||||
// register
|
||||
acf_add_local_field( $field );
|
||||
}
|
||||
|
||||
// honeypot
|
||||
if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
|
||||
|
||||
acf_add_validation_error( '', __( 'Spam Detected', 'acf' ) );
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* description
|
||||
*
|
||||
* @type function
|
||||
* @date 7/09/2016
|
||||
* @since 5.4.0
|
||||
*
|
||||
* @param $post_id (int)
|
||||
* @return $post_id (int)
|
||||
*/
|
||||
function pre_save_post( $post_id, $form ) {
|
||||
|
||||
// vars
|
||||
$save = array(
|
||||
'ID' => 0,
|
||||
);
|
||||
|
||||
// determine save data
|
||||
if ( is_numeric( $post_id ) ) {
|
||||
|
||||
// update post
|
||||
$save['ID'] = $post_id;
|
||||
} elseif ( $post_id == 'new_post' ) {
|
||||
|
||||
// merge in new post data
|
||||
$save = array_merge( $save, $form['new_post'] );
|
||||
} else {
|
||||
|
||||
// not post
|
||||
return $post_id;
|
||||
}
|
||||
|
||||
// phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().
|
||||
// Always extract the special _post_title / _post_content fields from $_POST['acf'] so they
|
||||
// cannot leak into acf_update_values() downstream, but only apply them to the post when the
|
||||
// form was rendered with the corresponding option enabled (mirrors render_form()).
|
||||
if ( isset( $_POST['acf']['_post_title'] ) ) {
|
||||
$post_title = acf_extract_var( $_POST['acf'], '_post_title' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.
|
||||
if ( ! empty( $form['post_title'] ) ) {
|
||||
$save['post_title'] = $post_title;
|
||||
}
|
||||
}
|
||||
|
||||
if ( isset( $_POST['acf']['_post_content'] ) ) {
|
||||
$post_content = acf_extract_var( $_POST['acf'], '_post_content' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.
|
||||
if ( ! empty( $form['post_content'] ) ) {
|
||||
$save['post_content'] = $post_content;
|
||||
}
|
||||
}
|
||||
// phpcs:enable WordPress.Security.NonceVerification.Missing
|
||||
|
||||
// honeypot
|
||||
if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
|
||||
return false;
|
||||
}
|
||||
|
||||
// validate
|
||||
if ( count( $save ) == 1 ) {
|
||||
return $post_id;
|
||||
}
|
||||
|
||||
// save
|
||||
if ( $save['ID'] ) {
|
||||
wp_update_post( $save );
|
||||
} else {
|
||||
$post_id = wp_insert_post( $save );
|
||||
}
|
||||
|
||||
// return
|
||||
return $post_id;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* This function will enqueue a form
|
||||
*
|
||||
* @type function
|
||||
* @date 7/09/2016
|
||||
* @since 5.4.0
|
||||
*
|
||||
* @param $post_id (int)
|
||||
* @return $post_id (int)
|
||||
*/
|
||||
function enqueue_form() {
|
||||
|
||||
// check
|
||||
$this->check_submit_form();
|
||||
|
||||
// load acf scripts
|
||||
acf_enqueue_scripts();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* This function will maybe submit form data
|
||||
*
|
||||
* @type function
|
||||
* @date 3/3/17
|
||||
* @since 5.5.10
|
||||
*
|
||||
* @param n/a
|
||||
* @return n/a
|
||||
*/
|
||||
function check_submit_form() {
|
||||
|
||||
// Verify nonce.
|
||||
if ( ! acf_verify_nonce( 'acf_form' ) ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Confirm form was submit.
|
||||
if ( ! isset( $_POST['_acf_form'] ) ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Load registered form using id.
|
||||
$form = $this->get_form( acf_sanitize_request_args( $_POST['_acf_form'] ) );
|
||||
|
||||
// Fallback to encrypted JSON.
|
||||
if ( ! $form ) {
|
||||
$form = json_decode( acf_decrypt( sanitize_text_field( $_POST['_acf_form'] ) ), true );
|
||||
if ( ! $form ) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
$form = $this->merge_form_meta( $form );
|
||||
|
||||
// Run kses on all $_POST data.
|
||||
if ( $form['kses'] && isset( $_POST['acf'] ) ) {
|
||||
$_POST['acf'] = wp_kses_post_deep( $_POST['acf'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- False positive.
|
||||
}
|
||||
|
||||
// Validate data and show errors.
|
||||
// Todo: Return WP_Error and show above form, keeping input values.
|
||||
acf_validate_save_post( true );
|
||||
|
||||
// Submit form.
|
||||
$this->submit_form( $form );
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* This function will submit form data
|
||||
*
|
||||
* @type function
|
||||
* @date 3/3/17
|
||||
* @since 5.5.10
|
||||
*
|
||||
* @param n/a
|
||||
* @return n/a
|
||||
*/
|
||||
function submit_form( $form ) {
|
||||
|
||||
// filter
|
||||
$form = apply_filters( 'acf/pre_submit_form', $form );
|
||||
|
||||
// vars
|
||||
$post_id = acf_maybe_get( $form, 'post_id', 0 );
|
||||
|
||||
// add global for backwards compatibility
|
||||
$GLOBALS['acf_form'] = $form;
|
||||
|
||||
// allow for custom save
|
||||
$post_id = apply_filters( 'acf/pre_save_post', $post_id, $form );
|
||||
|
||||
// Restrict $_POST['acf'] to the field keys the form actually exposed, so the
|
||||
// save path cannot accept values for fields the form did not render.
|
||||
// phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().
|
||||
if ( isset( $_POST['acf'] ) && is_array( $_POST['acf'] ) ) {
|
||||
$allowed_keys = $this->get_allowed_field_keys( $form );
|
||||
$_POST['acf'] = array_intersect_key( $_POST['acf'], array_flip( $allowed_keys ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- Sanitized downstream; save pipeline expects slashed input.
|
||||
}
|
||||
// phpcs:enable WordPress.Security.NonceVerification.Missing
|
||||
|
||||
// save
|
||||
acf_save_post( $post_id );
|
||||
|
||||
// restore form (potentially modified)
|
||||
$form = $GLOBALS['acf_form'];
|
||||
|
||||
// action
|
||||
do_action( 'acf/submit_form', $form, $post_id );
|
||||
|
||||
// vars
|
||||
$return = acf_maybe_get( $form, 'return', '' );
|
||||
|
||||
// redirect
|
||||
if ( $return ) {
|
||||
|
||||
// update %placeholders%
|
||||
$return = str_replace( '%post_id%', $post_id, $return );
|
||||
$return = str_replace( '%post_url%', get_permalink( $post_id ), $return );
|
||||
|
||||
// redirect
|
||||
wp_redirect( $return ); //phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect -- unsafe redirects allowed.
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the per-request render ID, generating one if necessary.
|
||||
*
|
||||
* @since 6.8.4
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
protected function get_render_id(): string {
|
||||
if ( $this->render_id === null ) {
|
||||
$this->render_id = wp_generate_uuid4();
|
||||
}
|
||||
return $this->render_id;
|
||||
}
|
||||
|
||||
/**
|
||||
* Folds metadata from `_acf_form_meta[]` inputs into the primary form
|
||||
* configuration so the multi-`acf_form()`-in-one-outer-`<form>` pattern works.
|
||||
*
|
||||
* Non-field request-level args (`post_id`, `return`, `new_post`, `kses`) stay
|
||||
* "last wins" via the primary form.
|
||||
*
|
||||
* @since 6.8.4
|
||||
*
|
||||
* @param array $form The primary form configuration loaded from `_acf_form`.
|
||||
* @return array The primary form with allowed-key extras and OR'd title/content flags.
|
||||
*/
|
||||
protected function merge_form_meta( array $form ): array {
|
||||
// phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified above in check_submit_form().
|
||||
if ( empty( $_POST['_acf_form_meta'] ) || ! is_array( $_POST['_acf_form_meta'] ) ) {
|
||||
return $form;
|
||||
}
|
||||
|
||||
if ( empty( $_POST['_acf_render_id'] ) || ! is_scalar( $_POST['_acf_render_id'] ) ) {
|
||||
return $form;
|
||||
}
|
||||
$expected_render_id = sanitize_text_field( wp_unslash( $_POST['_acf_render_id'] ) );
|
||||
|
||||
// wp_unslash only — sanitize_text_field would desync from the raw
|
||||
// $acf_form_value hashed render-side.
|
||||
$primary_form_value = ( isset( $_POST['_acf_form'] ) && is_scalar( $_POST['_acf_form'] ) )
|
||||
? (string) wp_unslash( $_POST['_acf_form'] ) // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Must match render-side bytes hashed into the form anchor.
|
||||
: '';
|
||||
|
||||
$expected_anchor = hash( 'sha256', $primary_form_value );
|
||||
$primary_post_id = isset( $form['post_id'] ) ? (string) $form['post_id'] : '';
|
||||
|
||||
/**
|
||||
* Filters how long a `_acf_form_meta[]` payload remains valid after the page that
|
||||
* emitted it was rendered.
|
||||
*
|
||||
* @since 6.8.4
|
||||
*
|
||||
* @param int $ttl Allowed age of a meta payload, in seconds.
|
||||
*/
|
||||
$ttl = (int) apply_filters( 'acf/form/meta_ttl', DAY_IN_SECONDS );
|
||||
$now = time();
|
||||
|
||||
$valid_metas = array();
|
||||
$primary_present = false;
|
||||
|
||||
foreach ( $_POST['_acf_form_meta'] as $token ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- Each $token is sanitized below before use.
|
||||
if ( ! is_scalar( $token ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$decoded = json_decode( acf_decrypt( sanitize_text_field( $token ) ), true );
|
||||
if ( ! is_array( $decoded ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ( empty( $decoded['render_id'] ) || ! is_string( $decoded['render_id'] ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ( ! hash_equals( $expected_render_id, $decoded['render_id'] ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ( ! isset( $decoded['issued_at'] ) || ! is_numeric( $decoded['issued_at'] ) ) {
|
||||
continue;
|
||||
}
|
||||
if ( ( $now - (int) $decoded['issued_at'] ) >= $ttl ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ( ! empty( $decoded['form_anchor'] )
|
||||
&& is_string( $decoded['form_anchor'] )
|
||||
&& hash_equals( $expected_anchor, $decoded['form_anchor'] )
|
||||
) {
|
||||
$primary_present = true;
|
||||
}
|
||||
|
||||
$valid_metas[] = $decoded;
|
||||
}
|
||||
|
||||
if ( ! $primary_present ) {
|
||||
return $form;
|
||||
}
|
||||
|
||||
$extra_keys = array();
|
||||
|
||||
foreach ( $valid_metas as $decoded ) {
|
||||
$target_post_id = isset( $decoded['target_post_id'] ) ? (string) $decoded['target_post_id'] : '';
|
||||
if ( ! hash_equals( $primary_post_id, $target_post_id ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ( ! empty( $decoded['allowed_field_keys'] ) && is_array( $decoded['allowed_field_keys'] ) ) {
|
||||
foreach ( $decoded['allowed_field_keys'] as $key ) {
|
||||
if ( is_scalar( $key ) ) {
|
||||
$extra_keys[] = (string) $key;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ( ! empty( $decoded['post_title'] ) ) {
|
||||
$form['post_title'] = true;
|
||||
}
|
||||
if ( ! empty( $decoded['post_content'] ) ) {
|
||||
$form['post_content'] = true;
|
||||
}
|
||||
}
|
||||
// phpcs:enable WordPress.Security.NonceVerification.Missing
|
||||
|
||||
if ( $extra_keys ) {
|
||||
$form['_additional_allowed_field_keys'] = array_values( array_unique( $extra_keys ) );
|
||||
}
|
||||
|
||||
return $form;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the fields a given form configuration will expose, mirroring the
|
||||
* selection logic used by render_form().
|
||||
*
|
||||
* Used by render_form() to discover what to render, and by submit_form() to
|
||||
* derive the set of $_POST['acf'] keys the save path will accept.
|
||||
*
|
||||
* @since 6.8.2
|
||||
*
|
||||
* @param array $args The validated form configuration.
|
||||
* @return array
|
||||
*/
|
||||
protected function get_form_fields( array $args ): array {
|
||||
$fields = array();
|
||||
$field_groups = array();
|
||||
$post_id = $args['post_id'];
|
||||
|
||||
// Prevent ACF from loading values for "new_post".
|
||||
if ( $post_id === 'new_post' ) {
|
||||
$post_id = false;
|
||||
}
|
||||
|
||||
// Register local default fields so the special _post_title / _post_content / _validate_email
|
||||
// keys are resolvable via acf_get_field().
|
||||
foreach ( $this->get_default_fields() as $field ) {
|
||||
acf_add_local_field( $field );
|
||||
}
|
||||
|
||||
// Append post_title field.
|
||||
if ( $args['post_title'] ) {
|
||||
$fields[] = acf_get_field( '_post_title' );
|
||||
}
|
||||
|
||||
// Append post_content field.
|
||||
if ( $args['post_content'] ) {
|
||||
$fields[] = acf_get_field( '_post_content' );
|
||||
}
|
||||
|
||||
// Load specific fields.
|
||||
if ( $args['fields'] ) {
|
||||
foreach ( $args['fields'] as $selector ) {
|
||||
if ( $post_id ) {
|
||||
// Lookup fields using $strict = false for better compatibility with field names.
|
||||
$fields[] = acf_maybe_get_field( $selector, $post_id, false );
|
||||
} else {
|
||||
// No post to resolve meta references against — skip acf_maybe_get_field()'s
|
||||
// post_id resolution, which can fatal in get_queried_object() if submit_form()
|
||||
// runs before WordPress's main query is built.
|
||||
$fields[] = acf_get_field( $selector );
|
||||
}
|
||||
}
|
||||
|
||||
// Load specific field groups.
|
||||
} elseif ( $args['field_groups'] ) {
|
||||
foreach ( $args['field_groups'] as $selector ) {
|
||||
$field_groups[] = acf_get_field_group( $selector );
|
||||
}
|
||||
|
||||
// Load fields for the given "new_post" args.
|
||||
} elseif ( $args['post_id'] === 'new_post' ) {
|
||||
$field_groups = acf_get_field_groups( $args['new_post'] );
|
||||
|
||||
// Load fields for the given "post_id" arg.
|
||||
} else {
|
||||
$field_groups = acf_get_field_groups(
|
||||
array(
|
||||
'post_id' => $args['post_id'],
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
// Load fields from the found field groups.
|
||||
if ( $field_groups ) {
|
||||
foreach ( $field_groups as $field_group ) {
|
||||
$_fields = acf_get_fields( $field_group );
|
||||
if ( $_fields ) {
|
||||
foreach ( $_fields as $_field ) {
|
||||
$fields[] = $_field;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Add honeypot field.
|
||||
if ( $args['honeypot'] ) {
|
||||
$fields[] = acf_get_field( '_validate_email' );
|
||||
}
|
||||
|
||||
return array_filter( $fields );
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the top-level $_POST['acf'] keys a given form configuration will accept on save.
|
||||
*
|
||||
* Derived from the same field discovery render_form() uses, so the set of save-acceptable
|
||||
* keys matches the set of keys the form actually rendered. For seamless clone fields whose
|
||||
* subfield input names nest under the parent clone's key (e.g. acf[clone_key][subkey]),
|
||||
* the parent's top-level key is what gets returned.
|
||||
*
|
||||
* @since 6.8.2
|
||||
*
|
||||
* @param array $form The validated form configuration.
|
||||
* @param array $fields Optional pre-discovered fields for this form to avoid a
|
||||
* redundant get_form_fields() call when the caller already has them.
|
||||
* @return array
|
||||
*/
|
||||
public function get_allowed_field_keys( array $form, array $fields = array() ): array {
|
||||
$keys = array();
|
||||
$fields = $fields ?: $this->get_form_fields( $form );
|
||||
|
||||
foreach ( $fields as $field ) {
|
||||
$prefix = $field['prefix'] ?? 'acf';
|
||||
|
||||
if ( $prefix === 'acf' ) {
|
||||
if ( ! empty( $field['key'] ) ) {
|
||||
$keys[] = $field['key'];
|
||||
}
|
||||
} elseif ( preg_match( '/^acf\[([^]]+)]$/', $prefix, $matches ) ) {
|
||||
$keys[] = $matches[1];
|
||||
}
|
||||
}
|
||||
|
||||
// Include keys folded in from sibling acf_form() calls on the same page.
|
||||
if ( ! empty( $form['_additional_allowed_field_keys'] ) && is_array( $form['_additional_allowed_field_keys'] ) ) {
|
||||
$keys = array_merge( $keys, $form['_additional_allowed_field_keys'] );
|
||||
}
|
||||
|
||||
$keys = array_values( array_unique( array_filter( $keys ) ) );
|
||||
|
||||
/**
|
||||
* Filters the list of $_POST['acf'] keys a front-end form submission is allowed to save.
|
||||
*
|
||||
* Use this to permit additional field keys when a developer dynamically injects fields
|
||||
* into a form via JavaScript that aren't part of the form's declared field configuration.
|
||||
*
|
||||
* @since 6.8.2
|
||||
*
|
||||
* @param array $keys The allowed top-level $_POST['acf'] keys.
|
||||
* @param array $form The validated form configuration.
|
||||
*/
|
||||
$keys = apply_filters( 'acf/form/allowed_field_keys', $keys, $form );
|
||||
|
||||
// Re-normalize after the filter so a misbehaving callback can't break array_flip()
|
||||
// downstream in submit_form() with non-scalar or empty values.
|
||||
$keys = array_filter( (array) $keys, 'is_scalar' );
|
||||
return array_values( array_unique( array_filter( array_map( 'strval', $keys ) ) ) );
|
||||
}
|
||||
|
||||
/**
|
||||
* Renders a front-end ACF form.
|
||||
*
|
||||
* Accepts either an array of form configuration (validated via validate_form()) or the
|
||||
* string id of a form previously registered with acf_register_form(). Outputs the form
|
||||
* HTML directly.
|
||||
*
|
||||
* @since 5.4.0
|
||||
*
|
||||
* @param array|string $args Form configuration array, or the id of a registered form.
|
||||
* @return false|void False if a registered form id was passed and no matching form exists;
|
||||
* otherwise outputs the form and returns no value.
|
||||
*/
|
||||
function render_form( $args = array() ) {
|
||||
|
||||
// Vars.
|
||||
$is_registered = false;
|
||||
|
||||
// Allow form settings to be directly provided.
|
||||
if ( is_array( $args ) ) {
|
||||
$args = $this->validate_form( $args );
|
||||
|
||||
// Otherwise, lookup registered form.
|
||||
} else {
|
||||
$is_registered = true;
|
||||
$args = $this->get_form( $args );
|
||||
if ( ! $args ) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
// Extract vars.
|
||||
$post_id = $args['post_id'];
|
||||
|
||||
// Prevent ACF from loading values for "new_post".
|
||||
if ( $post_id === 'new_post' ) {
|
||||
$post_id = false;
|
||||
}
|
||||
|
||||
// Set uploader type.
|
||||
acf_update_setting( 'uploader', $args['uploader'] );
|
||||
|
||||
// Discover the fields this form will expose.
|
||||
$fields = $this->get_form_fields( $args );
|
||||
|
||||
// Load values for the special _post_title / _post_content fields so they
|
||||
// render pre-populated with the current post's data.
|
||||
foreach ( $fields as &$field ) {
|
||||
if ( ! isset( $field['key'] ) ) {
|
||||
continue;
|
||||
}
|
||||
if ( $field['key'] === '_post_title' ) {
|
||||
$field['value'] = $post_id ? get_post_field( 'post_title', $post_id ) : '';
|
||||
} elseif ( $field['key'] === '_post_content' ) {
|
||||
$field['value'] = $post_id ? get_post_field( 'post_content', $post_id ) : '';
|
||||
}
|
||||
}
|
||||
unset( $field );
|
||||
|
||||
// Display updated_message
|
||||
if ( ! empty( $_GET['updated'] ) && $args['updated_message'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Used as a flag; data not used.
|
||||
printf( $args['html_updated_message'], $args['updated_message'] ); //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers.
|
||||
}
|
||||
|
||||
// display form
|
||||
if ( $args['form'] ) : ?>
|
||||
<form <?php echo acf_esc_attrs( $args['form_attributes'] ); ?>>
|
||||
<?php
|
||||
endif;
|
||||
|
||||
// Render hidden form data.
|
||||
$render_id = $this->get_render_id();
|
||||
$acf_form_value = $is_registered ? $args['id'] : acf_encrypt( wp_json_encode( $args ) );
|
||||
acf_form_data(
|
||||
array(
|
||||
'screen' => 'acf_form',
|
||||
'post_id' => $args['post_id'],
|
||||
'form' => $acf_form_value,
|
||||
'render_id' => $render_id,
|
||||
)
|
||||
);
|
||||
|
||||
/**
|
||||
* Emit a per-form metadata token. PHP keeps only the last `_acf_form` input
|
||||
* after browser-level dedup, so multiple acf_form() calls inside a single
|
||||
* outer <form> would otherwise lose all but one form's allow-list —
|
||||
* `_acf_form_meta[]` uses the array form to survive that and carries each
|
||||
* form's contribution.
|
||||
*/
|
||||
$meta = wp_json_encode(
|
||||
array(
|
||||
'render_id' => $render_id,
|
||||
'form_anchor' => hash( 'sha256', (string) $acf_form_value ),
|
||||
'target_post_id' => (string) $args['post_id'],
|
||||
'issued_at' => time(),
|
||||
'allowed_field_keys' => $this->get_allowed_field_keys( $args, $fields ),
|
||||
'post_title' => (bool) $args['post_title'],
|
||||
'post_content' => (bool) $args['post_content'],
|
||||
)
|
||||
);
|
||||
acf_hidden_input(
|
||||
array(
|
||||
'name' => '_acf_form_meta[]',
|
||||
'value' => acf_encrypt( $meta ),
|
||||
)
|
||||
);
|
||||
|
||||
?>
|
||||
<div class="acf-fields acf-form-fields -<?php echo esc_attr( $args['label_placement'] ); ?>">
|
||||
<?php echo $args['html_before_fields']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
|
||||
<?php acf_render_fields( $fields, $post_id, $args['field_el'], $args['instruction_placement'] ); ?>
|
||||
<?php echo $args['html_after_fields']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
|
||||
</div>
|
||||
<?php if ( $args['form'] ) : ?>
|
||||
<div class="acf-form-submit">
|
||||
<?php printf( $args['html_submit_button'], $args['submit_value'] ); ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
|
||||
<?php echo $args['html_submit_spinner']; ?><?php //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- designed to contain potentially unsafe HTML, set by developers. ?>
|
||||
</div>
|
||||
</form>
|
||||
<?php endif;
|
||||
}
|
||||
}
|
||||
|
||||
// initialize
|
||||
acf()->form_front = new acf_form_front();
|
||||
endif; // class_exists check
|
||||
|
||||
|
||||
/**
|
||||
* Functions
|
||||
*
|
||||
* alias of acf()->form->functions
|
||||
*
|
||||
* @type function
|
||||
* @date 11/06/2014
|
||||
* @since 5.0.0
|
||||
*
|
||||
* @param n/a
|
||||
* @return n/a
|
||||
*/
|
||||
function acf_form_head() {
|
||||
|
||||
acf()->form_front->enqueue_form();
|
||||
}
|
||||
|
||||
function acf_form( $args = array() ) {
|
||||
|
||||
acf()->form_front->render_form( $args );
|
||||
}
|
||||
|
||||
function acf_get_form( $id = '' ) {
|
||||
|
||||
return acf()->form_front->get_form( $id );
|
||||
}
|
||||
|
||||
function acf_get_forms() {
|
||||
return acf()->form_front->get_forms();
|
||||
}
|
||||
|
||||
function acf_register_form( $args ) {
|
||||
|
||||
acf()->form_front->add_form( $args );
|
||||
}
|
||||
|
||||
?>
|
||||
Reference in New Issue
Block a user