Code Coverage for projects/packages/forms/src/contact-form/class-contact-form.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	62.65% covered (warning)	62.65%	956 / 1526	37.18% covered (danger)	37.18%	29 / 78	CRAP	0.00% covered (danger)	0.00%	0 / 1
Contact_Form	62.64% covered (warning)	62.64%	954 / 1523	37.18% covered (danger)	37.18%	29 / 78	15976.45	0.00% covered (danger)	0.00%	0 / 1
set_ref_id	100.00% covered (success)	100.00%	2 / 2	100.00% covered (success)	100.00%	1 / 1	1
clear_ref_id	100.00% covered (success)	100.00%	2 / 2	100.00% covered (success)	100.00%	1 / 1	1
get_ref_id	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
has_seen	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	2
reset_seen_refs	100.00% covered (success)	100.00%	2 / 2	100.00% covered (success)	100.00%	1 / 1	1
render_synced_form	80.00% covered (warning)	80.00%	12 / 15	0.00% covered (danger)	0.00%	0 / 1	7.39
render_synced_form_content	88.89% covered (warning)	88.89%	8 / 9	0.00% covered (danger)	0.00%	0 / 1	3.01
render_frontend_status_notice	0.00% covered (danger)	0.00%	0 / 37	0.00% covered (danger)	0.00%	0 / 1	42
__construct	93.42% covered (success)	93.42%	71 / 76	0.00% covered (danger)	0.00%	0 / 1	18.09
get_instance_from_jwt	69.74% covered (warning)	69.74%	53 / 76	0.00% covered (danger)	0.00%	0 / 1	35.41
set_source	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
get_context	90.00% covered (success)	90.00%	9 / 10	0.00% covered (danger)	0.00%	0 / 1	8.06
increment_form_context_count	60.00% covered (warning)	60.00%	3 / 5	0.00% covered (danger)	0.00%	0 / 1	2.26
register_post_type	100.00% covered (success)	100.00%	69 / 69	100.00% covered (success)	100.00%	1 / 1	1
get_forms_count	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
compute_id	100.00% covered (success)	100.00%	8 / 8	100.00% covered (success)	100.00%	1 / 1	3
get_secret	90.91% covered (success)	90.91%	10 / 11	0.00% covered (danger)	0.00%	0 / 1	5.02
get_default_thank_you_heading	28.57% covered (danger)	28.57%	2 / 7	0.00% covered (danger)	0.00%	0 / 1	6.28
get_attributes	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
get_jwt	91.38% covered (success)	91.38%	53 / 58	0.00% covered (danger)	0.00%	0 / 1	9.05
get_source	50.00% covered (danger)	50.00%	2 / 4	0.00% covered (danger)	0.00%	0 / 1	2.50
get_forms_context_count	100.00% covered (success)	100.00%	4 / 4	100.00% covered (success)	100.00%	1 / 1	2
get_default_to	90.91% covered (success)	90.91%	10 / 11	0.00% covered (danger)	0.00%	0 / 1	5.02
get_default_to_for_editor	92.31% covered (success)	92.31%	12 / 13	0.00% covered (danger)	0.00%	0 / 1	6.02
get_post_property	100.00% covered (success)	100.00%	7 / 7	100.00% covered (success)	100.00%	1 / 1	6
get_default_subject	100.00% covered (success)	100.00%	13 / 13	100.00% covered (success)	100.00%	1 / 1	6
store_shortcode		n/a	0 / 0		n/a	0 / 0	1
style	0.00% covered (danger)	0.00%	0 / 3	0.00% covered (danger)	0.00%	0 / 1	2
style_on	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
add_quick_link_to_admin_bar	0.00% covered (danger)	0.00%	0 / 16	0.00% covered (danger)	0.00%	0 / 1	6
parse	73.04% covered (warning)	73.04%	149 / 204	0.00% covered (danger)	0.00%	0 / 1	201.31
prepare_submit_button	88.89% covered (warning)	88.89%	8 / 9	0.00% covered (danger)	0.00%	0 / 1	6.05
add_submit_button_interactivity_attributes	80.00% covered (warning)	80.00%	4 / 5	0.00% covered (danger)	0.00%	0 / 1	3.07
render_noscript_success_message	0.00% covered (danger)	0.00%	0 / 17	0.00% covered (danger)	0.00%	0 / 1	12
format_submission_data	0.00% covered (danger)	0.00%	0 / 18	0.00% covered (danger)	0.00%	0 / 1	42
get_url	0.00% covered (danger)	0.00%	0 / 7	0.00% covered (danger)	0.00%	0 / 1	56
get_rating	0.00% covered (danger)	0.00%	0 / 14	0.00% covered (danger)	0.00%	0 / 1	72
get_field_type_icon	0.00% covered (danger)	0.00%	0 / 18	0.00% covered (danger)	0.00%	0 / 1	20
render_error_wrapper	100.00% covered (success)	100.00%	9 / 9	100.00% covered (success)	100.00%	1 / 1	2
render_ajax_success_wrapper	23.30% covered (danger)	23.30%	24 / 103	0.00% covered (danger)	0.00%	0 / 1	436.08
success_message	100.00% covered (success)	100.00%	25 / 25	100.00% covered (success)	100.00%	1 / 1	4
get_compiled_form	73.68% covered (warning)	73.68%	14 / 19	0.00% covered (danger)	0.00%	0 / 1	5.46
get_json_data		n/a	0 / 0		n/a	0 / 0	3
get_raw_compiled_form_data	66.67% covered (warning)	66.67%	4 / 6	0.00% covered (danger)	0.00%	0 / 1	3.33
get_compiled_form_for_email	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
escape_and_sanitize_field_value	100.00% covered (success)	100.00%	24 / 24	100.00% covered (success)	100.00%	1 / 1	19
remove_empty	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
get_file_upload_fields	0.00% covered (danger)	0.00%	0 / 7	0.00% covered (danger)	0.00%	0 / 1	20
delete_feedback_files	0.00% covered (danger)	0.00%	0 / 2	0.00% covered (danger)	0.00%	0 / 1	6
esc_shortcode_val	100.00% covered (success)	100.00%	13 / 13	100.00% covered (success)	100.00%	1 / 1	3
parse_contact_field	79.25% covered (warning)	79.25%	42 / 53	0.00% covered (danger)	0.00%	0 / 1	41.15
is_file_upload_field	100.00% covered (success)	100.00%	5 / 5	100.00% covered (success)	100.00%	1 / 1	5
get_default_label_from_type	44.68% covered (danger)	44.68%	21 / 47	0.00% covered (danger)	0.00%	0 / 1	65.92
get_field_ids	72.97% covered (warning)	72.97%	27 / 37	0.00% covered (danger)	0.00%	0 / 1	16.34
process_submission	82.94% covered (warning)	82.94%	141 / 170	0.00% covered (danger)	0.00%	0 / 1	73.13
has_custom_redirect	100.00% covered (success)	100.00%	4 / 4	100.00% covered (success)	100.00%	1 / 1	3
get_redirect_url	88.89% covered (warning)	88.89%	16 / 18	0.00% covered (danger)	0.00%	0 / 1	6.05
get_permalink	80.00% covered (warning)	80.00%	4 / 5	0.00% covered (danger)	0.00%	0 / 1	3.07
wp_mail	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
add_name_to_address	100.00% covered (success)	100.00%	4 / 4	100.00% covered (success)	100.00%	1 / 1	2
get_mail_content_type	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
wrap_message_in_html_tags	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	1
add_plain_text_alternative	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
addslashes_deep	50.00% covered (danger)	50.00%	4 / 8	0.00% covered (danger)	0.00%	0 / 1	6.00
get_block_container_classes	83.33% covered (warning)	83.33%	5 / 6	0.00% covered (danger)	0.00%	0 / 1	3.04
get_block_alignment_class	100.00% covered (success)	100.00%	7 / 7	100.00% covered (success)	100.00%	1 / 1	3
process_file_upload_field	0.00% covered (danger)	0.00%	0 / 29	0.00% covered (danger)	0.00%	0 / 1	90
maybe_transform_value	0.00% covered (danger)	0.00%	0 / 22	0.00% covered (danger)	0.00%	0 / 1	380
get_images	0.00% covered (danger)	0.00%	0 / 16	0.00% covered (danger)	0.00%	0 / 1	42
get_files	0.00% covered (danger)	0.00%	0 / 18	0.00% covered (danger)	0.00%	0 / 1	42
escape_and_sanitize_field_label	66.67% covered (warning)	66.67%	2 / 3	0.00% covered (danger)	0.00%	0 / 1	2.15
add_theme_json_data_for_classic_themes	0.00% covered (danger)	0.00%	0 / 59	0.00% covered (danger)	0.00%	0 / 1	12
validate	90.00% covered (success)	90.00%	9 / 10	0.00% covered (danger)	0.00%	0 / 1	7.05
validate_ref	71.43% covered (warning)	71.43%	5 / 7	0.00% covered (danger)	0.00%	0 / 1	4.37
reset_errors	100.00% covered (success)	100.00%	4 / 4	100.00% covered (success)	100.00%	1 / 1	3
add_error	100.00% covered (success)	100.00%	5 / 5	100.00% covered (success)	100.00%	1 / 1	2
has_errors	100.00% covered (success)	100.00%	4 / 4	100.00% covered (success)	100.00%	1 / 1	3
get_error_messages	100.00% covered (success)	100.00%	4 / 4	100.00% covered (success)	100.00%	1 / 1	2
get_confirmation_type	100.00% covered (success)	100.00%	3 / 3	100.00% covered (success)	100.00%	1 / 1	2
get_disable_summary	100.00% covered (success)	100.00%	5 / 5	100.00% covered (success)	100.00%	1 / 1	3

1	<?php
2	/**
3	* Contact_Form class.
4	*
5	* @package automattic/jetpack-forms
6	*/
7
8	namespace Automattic\Jetpack\Forms\ContactForm;
9
10	use Automattic\Jetpack\Connection\Tokens;
11	use Automattic\Jetpack\Forms\Dashboard\Dashboard as Forms_Dashboard;
12	use Automattic\Jetpack\JWT;
13	use Automattic\Jetpack\Sync\Settings;
14	use PHPMailer\PHPMailer\PHPMailer;
15	use WP_Block;
16	use WP_Error;
17	use WP_Post;
18
19	// Load the Form_Submission_Error class.
20	require_once __DIR__ . '/class-form-submission-error.php';
21
22	if ( ! defined( 'ABSPATH' ) ) {
23	exit( 0 );
24	}
25
26	/**
27	* Class for the contact-form shortcode.
28	* Parses shortcode to output the contact form as HTML
29	* Sends email and stores the contact form response (a.k.a. "feedback")
30	*/
31	class Contact_Form extends Contact_Form_Shortcode {
32
33	/**
34	* The shortcode name.
35	*
36	* @var string
37	*/
38	public $shortcode_name = 'contact-form';
39
40	/**
41	* The custom post type for forms.
42	*
43	* @var string
44	*/
45	const POST_TYPE = 'jetpack_form';
46
47	/**
48	* Meta key for the source post ID.
49	*
50	* @var string
51	*/
52	const SOURCE_META_KEY = '_jetpack_forms_source_post_id';
53
54	/**
55	*
56	* Stores form submission errors.
57	*
58	* @var WP_Error
59	*/
60	public $errors;
61
62	/**
63	* The SHA1 hash of the attributes that comprise the form.
64	*
65	* @var string
66	*/
67	public $hash;
68
69	/**
70	* The most recent (inclusive) contact-form shortcode processed.
71	*
72	* @var Contact_Form\|null
73	*/
74	public static $last;
75
76	/**
77	* Form we are currently looking at. If processed, will become $last
78	*
79	* @var Contact_Form\|null
80	*/
81	public static $current_form;
82
83	/**
84	* All found forms, indexed by hash.
85	*
86	* @var array
87	*/
88	public static $forms = array();
89
90	/**
91	* The context for the forms, indexed by context.
92	* This is used to keep track of how many forms are in a specific context.
93	*
94	* @var array
95	*/
96	public static $forms_context = array();
97
98	/**
99	* Array of WP_Error objects that are keyed by form id.
100	*
101	* @var array
102	*/
103	public static $static_errors = array();
104
105	/**
106	* Whether to print the grunion.css style when processing the contact-form shortcode
107	*
108	* @var bool
109	*/
110	public static $style = false;
111
112	/**
113	* When printing the submit button, what tags are allowed
114	*
115	* @var array
116	*/
117	public static $allowed_html_tags_for_submit_button = array( 'br' => array() );
118
119	/**
120	* Whether to enable response without reloading the page.
121	*
122	* @var bool
123	*/
124	public $is_response_without_reload_enabled = true;
125
126	/**
127	* The current post object for this form.
128	*
129	* @var WP_Post\|null
130	*/
131	public $current_post;
132
133	/**
134	* Whether the form has a verified JWT token.
135	*
136	* @var bool
137	*/
138	public $has_verified_jwt = false;
139
140	/**
141	* The source of the feedback entry.
142	*
143	* @var Feedback_Source
144	*/
145	private $source;
146
147	/**
148	* The reference ID for the contact form.
149	*
150	* @var int\|null
151	*/
152	private static $ref_id = null;
153
154	/**
155	* Seen reference IDs for the contact form.
156	*
157	* @var array
158	*/
159	private static $seen_ref = array();
160
161	/**
162	* Set the reference ID for the contact form.
163	*
164	* @param int $ref_id The reference ID.
165	*/
166	public static function set_ref_id( $ref_id ) {
167	self::$ref_id = $ref_id;
168	self::$seen_ref[ $ref_id ] = true;
169	}
170
171	/**
172	* Clear the reference ID for the contact form.
173	*
174	* @param int $ref_id The reference ID to clear.
175	*/
176	public static function clear_ref_id( $ref_id ) {
177	self::$ref_id = null;
178	self::$seen_ref[ $ref_id ] = false;
179	}
180
181	/**
182	* Get the reference ID for the contact form.
183	*
184	* @return int\|null The reference ID.
185	*/
186	public static function get_ref_id() {
187	return self::$ref_id;
188	}
189
190	/**
191	* Check if the reference ID has been seen for the contact form.
192	*
193	* @param int $ref_id The reference ID.
194	* @return bool True if the reference ID has been seen, false otherwise.
195	*/
196	public static function has_seen( $ref_id ) {
197	return isset( self::$seen_ref[ $ref_id ] ) && self::$seen_ref[ $ref_id ];
198	}
199
200	/**
201	* Reset the seen reference IDs for the contact form.
202	*/
203	public static function reset_seen_refs() {
204	self::$seen_ref = array();
205	self::$ref_id = null;
206	}
207
208	/**
209	* Render a synced form by reference ID.
210	*
211	* This handles loading a form from a jetpack_form post and rendering it.
212	* Used by both the shortcode [contact-form ref="123"] and the block.
213	*
214	* @param int $ref_id The jetpack_form post ID.
215	* @return string Rendered form HTML.
216	*/
217	public static function render_synced_form( $ref_id ) {
218	// Circular reference prevention.
219	if ( self::has_seen( $ref_id ) ) {
220	return '';
221	}
222
223	// Load the jetpack_form post.
224	$synced_form = get_post( $ref_id );
225
226	// Validate post.
227	if ( ! $synced_form \|\| self::POST_TYPE !== $synced_form->post_type ) {
228	return '';
229	}
230
231	$status = $synced_form->post_status;
232
233	// Trashed forms are always hidden.
234	if ( 'trash' === $status ) {
235	return '';
236	}
237
238	// Published forms render normally for everyone.
239	if ( 'publish' === $status ) {
240	return self::render_synced_form_content( $ref_id, $synced_form );
241	}
242
243	// For non-published statuses (draft, pending, future, private), only show preview to users who can edit the form.
244	if ( ! current_user_can( 'edit_post', $ref_id ) ) {
245	return '';
246	}
247
248	// Render the form with a status notice for editors.
249	$notice = self::render_frontend_status_notice( $synced_form );
250	$form_content = self::render_synced_form_content( $ref_id, $synced_form );
251
252	return $notice . $form_content;
253	}
254
255	/**
256	* Render the actual form content for a synced form.
257	*
258	* @param int $ref_id The jetpack_form post ID.
259	* @param \WP_Post $synced_form The synced form post object.
260	* @return string Rendered form HTML.
261	*/
262	private static function render_synced_form_content( $ref_id, $synced_form ) {
263	if ( $ref_id === self::get_ref_id() ) {
264	return '';
265	}
266	// Mark as seen for circular reference prevention.
267	self::set_ref_id( $ref_id );
268	$output = '';
269	try {
270	// Parse and render blocks from post_content.
271	$blocks = parse_blocks( $synced_form->post_content );
272	foreach ( $blocks as $block ) {
273	$output .= render_block( $block );
274	}
275	} finally {
276	// Clean up.
277	self::clear_ref_id( $ref_id );
278	}
279	return $output;
280	}
281
282	/**
283	* Render a frontend status notice for non-published forms.
284	*
285	* @param \WP_Post $synced_form The synced form post object.
286	* @return string Notice HTML.
287	*/
288	private static function render_frontend_status_notice( $synced_form ) {
289	$status = $synced_form->post_status;
290
291	if ( 'publish' === $status \|\| 'private' === $status ) {
292	return '';
293	}
294
295	$status_config = array(
296	'draft' => array(
297	'type' => 'warning',
298	'message' => __( 'This form is a draft and is only visible to you. Publish it to make it visible to site visitors.', 'jetpack-forms' ),
299	),
300	'pending' => array(
301	'type' => 'warning',
302	'message' => __( 'This form is pending review and is only visible to you. It will be visible to site visitors once approved and published.', 'jetpack-forms' ),
303	),
304	'future' => array(
305	'type' => 'info',
306	'message' => sprintf(
307	/* translators: %s: scheduled publish date */
308	__( 'This form is scheduled for %s and is only visible to you until then.', 'jetpack-forms' ),
309	wp_date( get_option( 'date_format' ) . ' ' . get_option( 'time_format' ), get_post_time( 'U', true, $synced_form ) )
310	),
311	),
312	);
313
314	if ( ! isset( $status_config[ $status ] ) ) {
315	return '';
316	}
317
318	wp_enqueue_style( 'jetpack-form-status-notice' );
319
320	$config = $status_config[ $status ];
321	$type_class = 'info' === $config['type'] ? 'jetpack-form-status-notice--info' : 'jetpack-form-status-notice--warning';
322	$edit_url = get_edit_post_link( $synced_form->ID, 'raw' );
323	$edit_link = $edit_url ? sprintf(
324	' <a href="%s" class="jetpack-form-status-notice__edit-link">%s</a>',
325	esc_url( $edit_url ),
326	esc_html__( 'Edit form', 'jetpack-forms' )
327	) : '';
328
329	return sprintf(
330	'<div class="jetpack-form-status-notice %s"><p>%s%s</p></div>',
331	esc_attr( $type_class ),
332	esc_html( $config['message'] ),
333	$edit_link
334	);
335	}
336
337	/**
338	* Construction function.
339	*
340	* @param array $attributes - the attributes.
341	* @param string $content - the content.
342	* @param bool $set_id - whether to set the ID for the form.
343	*/
344	public function __construct( $attributes, $content = null, $set_id = true ) {
345	global $post, $page;
346
347	// AJAX requests don't have a post object, so we need to get the post object from the $_POST['contact-form-id']
348	$this->current_post = $post;
349
350	// phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce verification happens in process_form_submission() for logged-in users
351	if ( ! $this->current_post && isset( $_POST['contact-form-id'] ) ) {
352	$contact_form_id = sanitize_text_field( wp_unslash( $_POST['contact-form-id'] ) );
353	$this->current_post = get_post( $contact_form_id );
354	}
355	// phpcs:enable
356
357	$this->is_response_without_reload_enabled = apply_filters( 'jetpack_forms_enable_ajax_submission', true );
358
359	// Initialize the source before setting defaults
360	if ( ! $this->source ) {
361	$attributes = is_array( $attributes ) ? $attributes : array();
362	$this->source = Feedback_Source::get_current( $attributes );
363	}
364
365	// Set up the default subject and recipient for this form.
366	$post_author_id = self::get_post_property( $this->current_post, 'post_author' );
367	$default_to = self::get_default_to( $post_author_id, $this->source );
368	$default_subject = self::get_default_subject( $attributes, $this->current_post );
369
370	if ( ! isset( $attributes ) \|\| ! is_array( $attributes ) ) {
371	$attributes = array();
372	}
373
374	if ( $set_id ) {
375	$page_number = is_numeric( $page ) ? intval( $page ) : 1;
376	$attributes['id'] = self::compute_id( $attributes, $this->current_post, $page_number );
377	}
378	$this->hash = sha1(
379	wp_json_encode(
380	$attributes,
381	0 // phpcs:ignore Jetpack.Functions.JsonEncodeFlags.ZeroFound -- No `json_encode()` flags because we don't want to disrupt the current hash index.
382	)
383	);
384
385	if ( $set_id ) {
386	self::$forms[ $this->hash ] = $this; // This increments the form count.
387	self::increment_form_context_count( $attributes, $this->current_post );
388	}
389
390	// Keep reference to $this for parsing form fields.
391	self::$current_form = $this;
392
393	$this->defaults = array(
394	'to' => $default_to,
395	'subject' => $default_subject,
396	'show_subject' => 'no', // only used in back-compat mode
397	'widget' => 0, // Not exposed to the user. Works with Contact_Form_Plugin::widget_atts()
398	'block_template' => null, // Not exposed to the user. Works with template_loader
399	'block_template_part' => null, // Not exposed to the user. Works with Contact_Form::parse()
400	'id' => null, // Not exposed to the user. Set above.
401	'ref' => null, // Not exposed to the user. Set above if applicable.
402	'submit_button_text' => __( 'Submit', 'jetpack-forms' ),
403	// These attributes come from the block editor, so use camel case instead of snake case.
404	'customThankyou' => '', // Whether to show a custom thankyou response after submitting a form. '' for no, 'noSummary' to disable the summary, 'message' for a custom message, 'redirect' to redirect to a new URL. Deprecated.
405	'customThankyouHeading' => self::get_default_thank_you_heading(), // The text to show above customThankyouMessage.
406	'customThankyouMessage' => '', // The message to show when customThankyou is set to 'message'.
407	'customThankyouRedirect' => '', // The URL to redirect to when confirmationType is set to 'redirect'.
408	'confirmationType' => 'text', // The type of confirmation to show after submitting a form. 'text' for a text message, 'redirect' for a redirect link.
409	'jetpackCRM' => true, // Whether Jetpack CRM should store the form submission.
410	'mailpoet' => null,
411	'hostingerReach' => null,
412	'className' => null,
413	'postToUrl' => null,
414	'salesforceData' => null,
415	'hiddenFields' => null,
416	'stepTransition' => 'fade-slide', // The transition style for multi-step forms. Options: none, fade, slide, fade-slide
417	'saveResponses' => 'yes',
418	'emailNotifications' => 'yes',
419	'notificationRecipients' => array(), // Array of user IDs who should receive form response notifications.
420	'webhooks' => array(), // Array of webhooks to send the form data to.
421	'disableGoBack' => $attributes['disableGoBack'] ?? false,
422	'disableSummary' => $attributes['disableSummary'] ?? false,
423	'formTitle' => $attributes['formTitle'] ?? '',
424	);
425
426	$attributes = shortcode_atts( $this->defaults, $attributes, 'contact-form' );
427
428	// Transform boolean saveResponses to string for backend compatibility
429	if ( isset( $attributes['saveResponses'] ) && is_bool( $attributes['saveResponses'] ) ) {
430	$attributes['saveResponses'] = $attributes['saveResponses'] ? 'yes' : 'no';
431	}
432
433	// Transform boolean emailNotifications to string for backend compatibility
434	if ( isset( $attributes['emailNotifications'] ) && is_bool( $attributes['emailNotifications'] ) ) {
435	$attributes['emailNotifications'] = $attributes['emailNotifications'] ? 'yes' : 'no';
436	}
437
438	// We only enable the contact-field shortcode temporarily while processing the contact-form shortcode.
439	Contact_Form_Plugin::$using_contact_form_field = true;
440
441	parent::__construct( $attributes, $content );
442
443	// There were no fields in the contact form. The form was probably just [contact-form /]. Build a default form.
444	if ( empty( $this->fields ) ) {
445	// same as the original Grunion v1 form.
446	$default_form = '
447	[contact-field label="' . __( 'Name', 'jetpack-forms' ) . '" type="name" required="true" /]
448	[contact-field label="' . __( 'Email', 'jetpack-forms' ) . '" type="email" required="true" /]
449	[contact-field label="' . __( 'Website', 'jetpack-forms' ) . '" type="url" /]';
450
451	if ( 'yes' === strtolower( $this->get_attribute( 'show_subject' ) ) ) {
452	$default_form .= '
453	[contact-field label="' . __( 'Subject', 'jetpack-forms' ) . '" type="subject" /]';
454	}
455
456	$default_form .= '
457	[contact-field label="' . __( 'Message', 'jetpack-forms' ) . '" type="textarea" /]';
458
459	$this->parse_content( $default_form );
460	}
461
462	// $this->body and $this->fields have been setup. We no longer need the contact-field shortcode.
463	Contact_Form_Plugin::$using_contact_form_field = false;
464	}
465	/**
466	* Get the instance of the contact form from a JWT token.
467	*
468	* @param string $jwt_token The JWT token.
469	* @param bool $throw_exception Whether to throw an exception if the JWT token is invalid or cannot be decoded.
470	*
471	* @return Contact_Form\|null The contact form instance, or null if decoding fails and $throw_exception is false.
472	* @throws \Exception If the JWT token is invalid or cannot be decoded and $throw_exception is true.
473	*/
474	public static function get_instance_from_jwt( $jwt_token, $throw_exception = false ) {
475	$secret = self::get_secret();
476
477	// Derive separate keys using HKDF for proper key separation and context binding
478	$jwt_signing_key = hash_hkdf( 'sha256', $secret, 32, 'jetpack-forms-jwt-hmac-v2' );
479	$encryption_key = hash_hkdf( 'sha256', $secret, 32, 'jetpack-forms-aes-gcm-v2' );
480
481	try {
482	$data = JWT::decode( $jwt_token, $jwt_signing_key, array( 'HS256' ), true );
483	} catch ( \Exception $e ) {
484	try {
485	// Retry to decode the token using the secret key instead of the derived key
486	$data = JWT::decode( $jwt_token, $secret, array( 'HS256' ), true );
487	} catch ( \Exception $e ) {
488	// Re-throw with more context about the failure.
489	if ( $throw_exception ) {
490	/**
491	* Filter the failure to decode a JWT token for a contact form.
492	*
493	* @param null $value The value to return. Default null.
494	* @param string $jwt_token The JWT token that failed to decode.
495	* @param \Exception $e The exception that was thrown during decoding.
496	*
497	* @return Contact_Form\|null The value to return.
498	*/
499	$filtered = apply_filters( 'jetpack_forms_jwt_decode_failure', null, $jwt_token, $e );
500	if ( $filtered !== null ) {
501	return $filtered;
502	}
503	throw new \Exception(
504	sprintf(
505	/* translators: %s is the original exception message */
506	__( 'Failed to decode JWT token: %s', 'jetpack-forms' ),
507	$e->getMessage()
508	),
509	0,
510	$e
511	);
512	}
513	return apply_filters( 'jetpack_forms_jwt_decode_failure', null, $jwt_token, $e );
514	}
515	}
516
517	$version = isset( $data['version'] ) ? absint( $data['version'] ) : 1;
518
519	if ( 2 === $version ) {
520	if ( ! isset( $data['encrypted_attributes'] ) ) {
521	throw new \Exception( 'Invalid JWT format - encrypted attributes required' );
522	}
523
524	// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode -- Base64 decoding required for encrypted data
525	$encrypted_blob = base64_decode( $data['encrypted_attributes'], true ); // Strict mode
526	if ( $encrypted_blob === false ) {
527	throw new \Exception( 'Invalid base64 encoding in encrypted data' );
528	}
529
530	// Determine which cipher was used (stored in JWT or default to GCM)
531	$cipher = isset( $data['cipher'] ) ? $data['cipher'] : 'aes-256-gcm';
532
533	// Check if the cipher is available on this server
534	$available_cipher_methods = array_map( 'strtolower', openssl_get_cipher_methods() );
535	if ( ! in_array( strtolower( $cipher ), $available_cipher_methods, true ) ) {
536	throw new \Exception( 'Required encryption cipher ' . $cipher . ' is not available on this server' );
537	}
538
539	// Determine IV and tag sizes based on cipher
540	$is_gcm = stripos( $cipher, 'gcm' ) !== false;
541	if ( $is_gcm ) {
542	// GCM: 12-byte IV + 16-byte tag + ciphertext
543	if ( strlen( $encrypted_blob ) < 29 ) { // 12 + 16 + at least 1 byte
544	throw new \Exception( 'Invalid encrypted data format - too short for GCM' );
545	}
546	$iv = substr( $encrypted_blob, 0, 12 ); // 12-byte IV (96-bit)
547	$tag = substr( $encrypted_blob, 12, 16 ); // 16-byte auth tag
548	$encrypted = substr( $encrypted_blob, 28 ); // Remaining ciphertext
549	} else {
550	// CBC: 16-byte IV + ciphertext (no tag)
551	if ( strlen( $encrypted_blob ) < 17 ) { // 16 + at least 1 byte
552	throw new \Exception( 'Invalid encrypted data format - too short for CBC' );
553	}
554	$iv = substr( $encrypted_blob, 0, 16 ); // 16-byte IV (128-bit)
555	$tag = null; // No tag for CBC
556	$encrypted = substr( $encrypted_blob, 16 ); // Remaining ciphertext
557	}
558
559	$decrypted = openssl_decrypt(
560	$encrypted,
561	$cipher,
562	$encryption_key,
563	OPENSSL_RAW_DATA, // Expect raw binary data
564	$iv,
565	$tag ?? ''
566	);
567
568	if ( $decrypted === false ) {
569	throw new \Exception( 'Decryption failed - invalid token' );
570	}
571
572	$decrypted_attributes = json_decode( $decrypted, true );
573	if ( $decrypted_attributes === null ) {
574	throw new \Exception( 'Invalid attributes format' );
575	}
576
577	// Reconstruct data with decrypted attributes and unencrypted fields
578	$data['attributes'] = $decrypted_attributes;
579	// content, hash, and source are already in $data (unencrypted)
580	} elseif ( ! in_array( $version, array( 0, 1 ), true ) ) {
581	throw new \Exception( 'Unsupported JWT version' );
582	}
583
584	$source = $data['source'] ?? array();
585
586	if ( empty( $source ) ) {
587	// phpcs:ignore WordPress.Security.NonceVerification.Missing -- check done by caller process_form_submission()
588	$source_post_id = ! empty( $_POST['contact-form-id'] ) && is_numeric( $_POST['contact-form-id'] ) ? absint( wp_unslash( $_POST['contact-form-id'] ) ) : 0;
589	$post = get_post( $source_post_id );
590
591	if ( $post !== null && $source_post_id > 0 ) {
592	// create a fallback source
593	$source = array(
594	'source_id' => $post->ID,
595	'entry_title' => html_entity_decode( $post->post_title, ENT_QUOTES \| ENT_HTML5, 'UTF-8' ),
596	'entry_page' => 1,
597	'source_type' => 'single',
598	'request_url' => get_permalink( $post ),
599	);
600	}
601	}
602
603	$form = new self( $data['attributes'], $data['content'], empty( $data['attributes']['id'] ) );
604	$form->source = Feedback_Source::from_serialized( $source );
605	$form->hash = $data['hash'];
606	$form->has_verified_jwt = true;
607
608	return $form;
609	}
610
611	/**
612	* Set the source object for the contact form.
613	*
614	* @param Feedback_Source $source The source object.
615	*
616	* @return void
617	*/
618	public function set_source( $source ) {
619	$this->source = $source;
620	}
621
622	/**
623	* Get the context for the contact form based on the attributes and post.
624	*
625	* @param array $attributes The attributes of the contact form.
626	* @param WP_Post\|null $post The post object, if available.
627	*
628	* @return string The context for the contact form.
629	*/
630	public static function get_context( $attributes, $post = null ) {
631	$context = 'jp-form';
632	if ( ! empty( $attributes['widget'] ) && $attributes['widget'] ) {
633	$context = 'widget-' . $attributes['widget'];
634	} elseif ( ! empty( $attributes['block_template'] ) && $attributes['block_template'] ) {
635	$context = 'block-template-' . $attributes['block_template'];
636	} elseif ( ! empty( $attributes['block_template_part'] ) && $attributes['block_template_part'] ) {
637	$context = 'block-template-part-' . $attributes['block_template_part'];
638	} elseif ( $post instanceof WP_Post ) {
639	$context = (string) $post->ID;
640	}
641
642	return $context;
643	}
644
645	/**
646	* Increment the count of forms for a specific context.
647	*
648	* @param array $attributes The attributes of the contact form.
649	* @param WP_Post\|null $post The post object, if available.
650	*
651	* @return void
652	*/
653	public static function increment_form_context_count( $attributes, $post ) {
654	$context = self::get_context( $attributes, $post );
655	if ( ! isset( self::$forms_context[ $context ] ) ) {
656	self::$forms_context[ $context ] = 1;
657	return;
658	}
659	self::$forms_context[ $context ] = self::get_forms_context_count( $context ) + 1;
660	}
661
662	/**
663	* Register the jetpack_form custom post type.
664	*/
665	public static function register_post_type() {
666
667	$labels = array(
668	'name' => __( 'Forms', 'jetpack-forms' ),
669	'singular_name' => __( 'Form', 'jetpack-forms' ),
670	'add_new' => __( 'Add Form', 'jetpack-forms' ),
671	'add_new_item' => __( 'Add Form', 'jetpack-forms' ),
672	'new_item' => __( 'New Form', 'jetpack-forms' ),
673	'edit_item' => __( 'Edit Block Form', 'jetpack-forms' ),
674	'view_item' => __( 'View Form', 'jetpack-forms' ),
675	'view_items' => __( 'View Forms', 'jetpack-forms' ),
676	'all_items' => __( 'All Forms', 'jetpack-forms' ),
677	'search_items' => __( 'Search Forms', 'jetpack-forms' ),
678	'not_found' => __( 'No forms found.', 'jetpack-forms' ),
679	'not_found_in_trash' => __( 'No forms found in Trash.', 'jetpack-forms' ),
680	'filter_items_list' => __( 'Filter forms list', 'jetpack-forms' ),
681	'items_list_navigation' => __( 'Forms list navigation', 'jetpack-forms' ),
682	'items_list' => __( 'Forms list', 'jetpack-forms' ),
683	'item_published' => __( 'Form published.', 'jetpack-forms' ),
684	'item_published_privately' => __( 'Form published privately.', 'jetpack-forms' ),
685	'item_reverted_to_draft' => __( 'Form reverted to draft.', 'jetpack-forms' ),
686	'item_scheduled' => __( 'Form scheduled.', 'jetpack-forms' ),
687	'item_updated' => __( 'Form updated.', 'jetpack-forms' ),
688	);
689
690	$capabilities = array(
691	// You need to be able to edit posts, in order to read blocks in their raw form.
692	'read' => 'edit_posts',
693	// You need to be able to publish posts, in order to create blocks.
694	'create_posts' => 'publish_posts',
695	'edit_posts' => 'edit_posts',
696	'edit_published_posts' => 'edit_published_posts',
697	'delete_published_posts' => 'delete_published_posts',
698	// Enables trashing draft posts as well.
699	'delete_posts' => 'delete_posts',
700	'edit_others_posts' => 'edit_others_posts',
701	'delete_others_posts' => 'delete_others_posts',
702	);
703
704	$args = array(
705	'public' => false,
706	'show_ui' => true, // not sure we need this.
707	'show_in_menu' => false,
708	'rewrite' => false,
709	'query_var' => false,
710	'show_in_rest' => true,
711	'rest_base' => 'jetpack-forms',
712	'rest_controller_class' => 'Automattic\Jetpack\Forms\ContactForm\Jetpack_Form_Endpoint',
713	'capability_type' => 'post',
714	'capabilities' => $capabilities,
715	'map_meta_cap' => true,
716	'labels' => $labels,
717	'hierarchical' => false,
718	'template' => array( array( 'jetpack/contact-form' ) ),
719	'supports' => array(
720	'title',
721	'editor',
722	'revisions',
723	'author',
724	'custom-fields',
725	),
726	);
727
728	register_post_type( self::POST_TYPE, $args );
729
730	// Register post meta for tracking the source post that created this form.
731	register_post_meta(
732	self::POST_TYPE,
733	self::SOURCE_META_KEY,
734	array(
735	'type' => 'integer',
736	'single' => true,
737	'show_in_rest' => true,
738	'sanitize_callback' => 'absint',
739	'auth_callback' => function () {
740	return current_user_can( 'edit_posts' );
741	},
742	)
743	);
744	}
745
746	/**
747	* Get the count of forms.
748	*
749	* @return int The count of forms.
750	*/
751	public static function get_forms_count() {
752	return count( self::$forms );
753	}
754
755	/**
756	* Compute the ID for the contact form based on the attributes and post.
757	*
758	* @param array $attributes The attributes of the contact form.
759	* @param WP_Post\|null $post The post object, if available.
760	* @param int $page_number The page number, if available.
761	*
762	* @return string The ID for the contact form.
763	*/
764	public static function compute_id( $attributes, $post = null, $page_number = 1 ) {
765
766	$context = self::get_context( $attributes, $post );
767	$id_part = array( $context );
768
769	if ( self::get_forms_context_count( $context ) > 0 ) {
770	$id_part[] = self::get_forms_context_count( $context );
771	}
772
773	$page_num = max( 1, intval( $page_number ) );
774	if ( $page_num > 1 ) {
775	$id_part[] = $page_num;
776	}
777
778	return implode( '-', $id_part );
779	}
780
781	/**
782	* Helper function to get the secret from the Tokens class.
783	*
784	* @return string The secret from the Tokens class, or a default secret if not available.
785	*/
786	private static function get_secret() {
787
788	/**
789	* Filter the secret used for signing contact form JWT tokens.
790	*
791	* @param string $secret Passes a empty string by default so that we can fall back to other methods if the filter is not used.
792	*
793	* @return string The secret used for signing contact form JWT tokens.
794	*/
795	$secret = apply_filters( 'jetpack_forms_secret_jwt', '' );
796	if ( is_string( $secret ) && ! empty( $secret ) ) {
797	return $secret;
798	}
799
800	$token = ( new Tokens() )->get_access_token();
801
802	if ( ! empty( $token->secret ) ) {
803	return $token->secret;
804	}
805
806	$secret = get_option( 'jetpack_forms_secret_key', false );
807	if ( empty( $secret ) ) {
808	// Generate a fallback secret if we don't have one from Tokens.
809	$secret = wp_generate_password( 64, true, true );
810	update_option( 'jetpack_forms_secret_key', $secret );
811	}
812
813	return $secret;
814	}
815
816	/**
817	* Get the default thank you heading with conditional sparkle.
818	*
819	* Returns the new copy with sparkle emoji if translated, otherwise
820	* falls back to the old copy without sparkle.
821	*
822	* TEMPORARY: This method can be removed once the new copy has been translated.
823	* Replace the call with: __( 'Thank you for your response.', 'jetpack-forms' ) . ' ✨'
824	*
825	* @return string The translated heading.
826	*/
827	private static function get_default_thank_you_heading() {
828	// English locales always get the new copy with sparkle.
829	if ( str_starts_with( get_locale(), 'en' ) ) {
830	return __( 'Thank you for your response.', 'jetpack-forms' ) . ' ✨';
831	}
832
833	// Check if new string has a translation by comparing with the original.
834	$original = 'Thank you for your response.';
835	$translated = __( 'Thank you for your response.', 'jetpack-forms' );
836
837	if ( $translated !== $original ) {
838	return $translated . ' ✨';
839	}
840
841	// Fall back to old string without sparkle.
842	return __( 'Your message has been sent', 'jetpack-forms' );
843	}
844
845	/**
846	* Helper function to get the attributes of the contact form.
847	*
848	* @return array The attributes of the contact form.
849	*/
850	public function get_attributes() {
851	return $this->attributes;
852	}
853
854	/**
855	* Get the JWT token for the contact form instance.
856	*
857	* @return string The JWT token.
858	* @throws \Exception If encryption fails.
859	*/
860	public function get_jwt() {
861	$secret = self::get_secret();
862
863	// Derive separate keys using HKDF for proper key separation and context binding
864	$jwt_signing_key = hash_hkdf( 'sha256', $secret, 32, 'jetpack-forms-jwt-hmac-v2' );
865	$encryption_key = hash_hkdf( 'sha256', $secret, 32, 'jetpack-forms-aes-gcm-v2' );
866
867	$attributes = $this->attributes;
868	$this->source = Feedback_Source::get_current( $attributes );
869
870	// Only encrypt the attributes field as it contains sensitive information
871	// Content, hash, and source are not sensitive and can remain unencrypted
872
873	// Check cipher availability with fallback support
874	$available_cipher_methods = openssl_get_cipher_methods();
875	$cipher = null;
876	$cipher_fallback = null;
877	$use_encryption = false;
878	$iv_length = 12; // Default for GCM
879
880	// Try to find AES-256-GCM first (case-insensitive search)
881	foreach ( $available_cipher_methods as $method ) {
882	if ( strtolower( $method ) === 'aes-256-gcm' ) {
883	$cipher = $method; // Use the actual name with original casing
884	$use_encryption = true;
885	// IV length already set to 12 (NIST recommended for AES-GCM)
886	break;
887	}
888	// If AES-256-GCM not found, try fallback to AES-256-CBC
889	if ( strtolower( $method ) === 'aes-256-cbc' ) {
890	$cipher_fallback = $method; // Use the actual name with original casing
891	$use_encryption = true;
892	}
893	}
894
895	// Use the fallback cipher if the primary cipher is not available.
896	if ( $cipher === null && $cipher_fallback !== null ) {
897	$cipher = $cipher_fallback;
898	$iv_length = 16; // 16-byte (128-bit) IV for AES-CBC
899	}
900
901	// Lazy fallback payload in case encryption fails or is unavailable.
902	$unencrypted_payload = array(
903	'attributes' => $attributes,
904	'content' => $this->content,
905	'hash' => $this->hash,
906	'source' => $this->source->serialize(),
907	// No version field = version 1 (unencrypted)
908	);
909
910	if ( $use_encryption ) {
911	$iv = random_bytes( $iv_length );
912	$tag = ''; // Will be populated by openssl_encrypt for GCM
913	$encrypted = openssl_encrypt(
914	wp_json_encode(
915	$attributes,
916	JSON_UNESCAPED_SLASHES
917	),
918	$cipher,
919	$encryption_key,
920	OPENSSL_RAW_DATA, // Return raw binary data, not base64
921	$iv,
922	$tag
923	);
924
925	if ( $encrypted === false ) {
926	do_action( 'jetpack_forms_log', 'jwt_encryption_failed', openssl_error_string() );
927	return JWT::encode( $unencrypted_payload, $jwt_signing_key );
928	}
929	// For GCM, include the authentication tag; for CBC, tag will be empty
930	$encrypted_blob = stripos( $cipher, 'GCM' ) !== false ? $iv . $tag . $encrypted : $iv . $encrypted;
931
932	return JWT::encode(
933	array(
934	'encrypted_attributes' => base64_encode( $encrypted_blob ), // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode -- Base64 encoding required for encrypted data storage
935	'content' => $this->content,
936	'hash' => $this->hash,
937	'source' => $this->source->serialize(),
938	'version' => 2,
939	'cipher' => $cipher, // Store which cipher was used
940	),
941	$jwt_signing_key
942	);
943	}
944
945	// No encryption available - fall back to version 1 format (unencrypted)
946	return JWT::encode( $unencrypted_payload, $jwt_signing_key );
947	}
948
949	/**
950	* Get the current source obejct. That is relevent to the form and there current request.
951	*
952	* @return Feedback_Source Return the current feedback source object.
953	*/
954	public function get_source() {
955	if ( ! $this->source ) {
956	$attributes = $this->attributes;
957	$this->source = Feedback_Source::get_current( $attributes );
958	}
959	return $this->source;
960	}
961
962	/**
963	* Get the count of forms.
964	*
965	* @param string $context The context for which to get the count of forms.
966	*
967	* @return int The count of forms.
968	*/
969	public static function get_forms_context_count( $context ) {
970	if ( ! isset( self::$forms_context[ $context ] ) ) {
971	self::$forms_context[ $context ] = 0;
972	return 0;
973	}
974
975	return self::$forms_context[ $context ];
976	}
977
978	/**
979	* Get the default recipient email address for the contact form.
980	*
981	* @param int\|null $post_author_id The ID of the post author. If provided, will return the author's email.
982	* @param Feedback_Source\|null $source The source of the feedback entry. Optional, not used currently.
983	*
984	* @return string The default recipient email address.
985	*/
986	public static function get_default_to( $post_author_id = null, $source = null ) {
987	// Get the default recipient email address.
988	$default_to = get_option( 'admin_email' );
989	// Check that the user has edit permissions for this blog and has an email address
990	if ( ! $post_author_id ) {
991	return $default_to;
992	}
993
994	// Check that source is of type Feedback_Source
995	if ( ! $source instanceof Feedback_Source ) {
996	return $default_to;
997	}
998
999	if ( absint( $source->get_id() ) === 0 ) {
1000	return $default_to;
1001	}
1002
1003	$post = get_post( $source->get_id() );
1004	if ( ! $post ) {
1005	return $default_to;
1006	}
1007
1008	return self::get_default_to_for_editor( $post );
1009	}
1010
1011	/**
1012	* Get the default recipient email address for the contact form based on post data.
1013	*
1014	* This is used when we load the post or page in the editor, and we don't have the post author ID directly.
1015	*
1016	* @param mixed\|null $post Optional post data (object or array).
1017	*
1018	* @return string The default recipient email address.
1019	*/
1020	public static function get_default_to_for_editor( $post = null ) {
1021	$default_to = get_option( 'admin_email' );
1022
1023	if ( empty( $post ) ) {
1024	return $default_to;
1025	}
1026
1027	$post_author_id = self::get_post_property( $post, 'post_author' );
1028	$post_id = self::get_post_property( $post, 'ID' );
1029	$post_author = get_user( $post_author_id );
1030
1031	// Check that the user has edit permissions for this blog and has an email address
1032	if ( empty( $post_author ) \|\| empty( $post_author->user_email ) ) {
1033	return $default_to;
1034	}
1035
1036	// Check that the user is still a member of the blog.
1037	if ( ! is_user_member_of_blog( $post_author_id ) ) {
1038	return $default_to;
1039	}
1040
1041	// Check that the author can still edit the post or page.
1042	if ( user_can( $post_author_id, 'edit_post', $post_id ) ) {
1043	return $post_author->user_email;
1044	}
1045
1046	return $default_to;
1047	}
1048
1049	/**
1050	* Safely get a property from post data (object or array).
1051	*
1052	* @param mixed $post_data Post data (object or array).
1053	* @param string $property Property name to get.
1054	*
1055	* @return mixed\|null The property value or null if not found.
1056	*/
1057	public static function get_post_property( $post_data, $property ) {
1058	if ( ! $post_data ) {
1059	return null;
1060	}
1061
1062	if ( is_object( $post_data ) && isset( $post_data->$property ) ) {
1063	return $post_data->$property;
1064	} elseif ( is_array( $post_data ) && isset( $post_data[ $property ] ) ) {
1065	return $post_data[ $property ];
1066	}
1067
1068	return null;
1069	}
1070
1071	/**
1072	* Get the default subject for the contact form.
1073	*
1074	* @param array $attributes The attributes of the contact form.
1075	* @param mixed $post_data Optional post data (object or array).
1076	*
1077	* @return string The default subject for the contact form.
1078	*/
1079	public static function get_default_subject( $attributes, $post_data = null ) {
1080	global $post;
1081	// Get the default subject for the contact form.
1082	$default_subject = '[' . get_option( 'blogname' ) . ']';
1083
1084	// Get post title safely
1085	$post_title = self::get_post_property( $post_data, 'post_title' );
1086
1087	if ( ! $post_title && $post ) {
1088	$post_title = self::get_post_property( $post, 'post_title' );
1089	}
1090
1091	if ( $post_title ) {
1092	$default_subject = sprintf(
1093	// translators: the blog name and post title.
1094	_x( '%1$s %2$s', '%1$s = blog name, %2$s = post title', 'jetpack-forms' ),
1095	$default_subject,
1096	Contact_Form_Plugin::strip_tags( $post_title )
1097	);
1098	}
1099
1100	if ( ! empty( $attributes['widget'] ) && $attributes['widget'] ) {
1101	// translators: '%1$s the blog name
1102	$default_subject = sprintf( _x( '%1$s Sidebar', '%1$s = blog name', 'jetpack-forms' ), $default_subject );
1103	}
1104
1105	return $default_subject;
1106	}
1107
1108	/**
1109	* Store shortcode content for recall later
1110	* - used to receate shortcode when user uses do_shortcode
1111	*
1112	* @deprecated 5.0.0
1113	*/
1114	public static function store_shortcode() {
1115	_deprecated_function( __METHOD__, '5.0.0', 'Contact_Form_Plugin::store_shortcode()' );
1116	}
1117
1118	/**
1119	* Toggle for printing the grunion.css stylesheet
1120	*
1121	* @param bool $style - the CSS style.
1122	*
1123	* @return bool
1124	*/
1125	public static function style( $style ) {
1126	$previous_style = self::$style;
1127	self::$style = (bool) $style;
1128	return $previous_style;
1129	}
1130
1131	/**
1132	* Turn on printing of grunion.css stylesheet
1133	*
1134	* @see ::style()
1135	*
1136	* @return bool
1137	*/
1138	public static function style_on() {
1139	return self::style( true );
1140	}
1141	/**
1142	* Adds a quick link to the admin bar for the contact form entries.
1143	*
1144	* @param \WP_Admin_Bar $admin_bar The admin bar object.
1145	*/
1146	public static function add_quick_link_to_admin_bar( \WP_Admin_Bar $admin_bar ) {
1147
1148	if ( ! current_user_can( 'edit_pages' ) ) {
1149	return;
1150	}
1151
1152	$url = Forms_Dashboard::get_forms_admin_url();
1153
1154	$icon = '<svg class="ab-icon" style="top: 2px; width: 20px; height: 20px; fill: currentColor;" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path d="m13 7.5 h 5 v 1.5 h -5 v -1.5z"/><path d="m13 15 h 5 v 1.5 h -5 v -1.5z"/><path d="m19.01,3H4.99c-1.1,0-1.99.89-1.99,1.99v14.02c0,1.1.89,1.99,1.99,1.99h14.02c1.1,0,1.99-.89,1.99-1.99V4.99c0-1.1-.89-1.99-1.99-1.99Zm.49,15.99c0,.28-.23.51-.51.51H5.01c-.28,0-.51-.23-.51-.51V5.01c0-.28.23-.51.51-.51h13.98c.28,0,.51.23.51.51v13.98Z"/><path d="m9.46,13h-1.92c-.85,0-1.54.69-1.54,1.54v1.92c0,.85.69,1.54,1.54,1.54h1.92c.85,0,1.54-.69,1.54-1.54v-1.92c0-.85-.69-1.54-1.54-1.54Zm.04,3.5h-2v-2h2v2Z"/><path d="m9.46,6h-1.92c-.85,0-1.54.69-1.54,1.54v1.92c0,.85.69,1.54,1.54,1.54h1.92c.85,0,1.54-.69,1.54-1.54v-1.92c0-.85-.69-1.54-1.54-1.54Zm.04,3.5h-2v-2h2v2Z"/></svg>';
1155
1156	$admin_bar->add_menu(
1157	array(
1158	'id' => 'jetpack-forms',
1159	'parent' => null,
1160	'group' => null,
1161	'title' => $icon . '<span class="ab-label">' . esc_html__( 'Form Responses', 'jetpack-forms' ) . '</span>',
1162	'href' => $url,
1163	'meta' => array(
1164	'title' => esc_attr__( 'View form responses from this page', 'jetpack-forms' ),
1165	),
1166	)
1167	);
1168	}
1169
1170	/**
1171	* The contact-form shortcode processor
1172	*
1173	* @param array $attributes Key => Value pairs as parsed by shortcode_parse_atts().
1174	* @param string\|null $content The shortcode's inner content: [contact-form]$content[/contact-form].
1175	* @param array $context An array of context data for the form.
1176	*
1177	* @return string HTML for the concat form.
1178	*/
1179	public static function parse( $attributes, $content, $context = array() ) {
1180	global $post, $page, $multipage; // $page is used in the contact-form submission redirect
1181	if ( Settings::is_syncing() ) {
1182	return '';
1183	}
1184
1185	// Handle ref attribute - load form from jetpack_form post
1186	if ( is_array( $attributes ) && isset( $attributes['ref'] ) ) {
1187	$ref_id = absint( $attributes['ref'] );
1188	if ( $ref_id > 0 ) {
1189	return self::render_synced_form( $ref_id );
1190	} else {
1191	return '';
1192	}
1193	}
1194
1195	if ( isset( $GLOBALS['grunion_block_template_part_id'] ) ) {
1196	self::style_on();
1197	if ( is_array( $attributes ) ) {
1198	$attributes['block_template_part'] = $GLOBALS['grunion_block_template_part_id'];
1199	}
1200	}
1201
1202	if ( is_singular() ) {
1203	add_action( 'admin_bar_menu', array( __CLASS__, 'add_quick_link_to_admin_bar' ), 100 ); // We use priority 100 so that the link that is added gets added after the "Edit Page" link.
1204	}
1205	$plugin = Contact_Form_Plugin::init();
1206	$attributes['widget'] = $plugin->get_current_widget_context();
1207	// Create a new Contact_Form object (this class)
1208	if ( self::$ref_id ) {
1209	$attributes['ref'] = self::$ref_id;
1210	}
1211
1212	$form = new Contact_Form( $attributes, $content );
1213	Contact_Form_Plugin::reset_step();
1214
1215	$id = $form->get_attribute( 'id' );
1216
1217	if ( ! $id ) { // something terrible has happened
1218	return '[contact-form]';
1219	}
1220
1221	if ( is_feed() ) {
1222	return '[contact-form]';
1223	}
1224
1225	self::$last = $form;
1226
1227	// Enqueue the grunion.css stylesheet if self::$style allows it
1228	if ( self::$style && ( empty( $_REQUEST['action'] ) \|\| $_REQUEST['action'] !== 'grunion_shortcode_to_json' ) ) {
1229	// Enqueue the style here instead of printing it, because if some other plugin has run the_post()+rewind_posts(),
1230	// (like VideoPress does), the style tag gets "printed" the first time and discarded, leaving the contact form unstyled.
1231	// when WordPress does the real loop.
1232	wp_enqueue_style( 'grunion.css' );
1233	wp_enqueue_script( 'accessible-form' );
1234	}
1235
1236	$version = \JETPACK__VERSION;
1237
1238	// Extra cache busting strategy for view.js, seems they are left out of cache clearing on deploys
1239	$asset_file = plugin_dir_path( __FILE__ ) . 'dist/modules/form/view.asset.php';
1240	$asset = file_exists( $asset_file ) ? require $asset_file : null;
1241
1242	if ( $asset && isset( $asset['version'] ) ) {
1243	$version = $asset['version'];
1244	}
1245
1246	$config = array(
1247	'error_types' => array(
1248	'is_required' => __( 'This field is required.', 'jetpack-forms' ),
1249	'invalid_form_empty' => __( 'The form you are trying to submit is empty.', 'jetpack-forms' ),
1250	'invalid_form' => __( 'Please fill out the form correctly.', 'jetpack-forms' ),
1251	'network_error' => __( 'Connection issue while submitting the form. Check that you are connected to the Internet and try again.', 'jetpack-forms' ),
1252	'preview_mode' => __( 'Form submissions are disabled in preview mode.', 'jetpack-forms' ),
1253	),
1254	'admin_ajax_url' => admin_url( 'admin-ajax.php' ),
1255	);
1256	wp_interactivity_config( 'jetpack/form', $config );
1257	\wp_enqueue_script_module(
1258	'jp-forms-view',
1259	plugins_url( 'dist/modules/form/view.js', dirname( __DIR__ ) ),
1260	array( '@wordpress/interactivity' ),
1261	$version
1262	);
1263
1264	$is_single_input_form = is_array( $form->fields ) && count( $form->fields ) === 1;
1265	$is_flex_layout = isset( $attributes['layout']['type'] ) && $attributes['layout']['type'] === 'flex';
1266	$is_nowrap_layout = isset( $attributes['layout']['flexWrap'] ) && $attributes['layout']['flexWrap'] === 'nowrap';
1267	$is_forced_horizontal = $is_flex_layout && $is_nowrap_layout
1268	&& ( ! isset( $attributes['layout']['orientation'] ) \|\| $attributes['layout']['orientation'] === 'horizontal' );
1269
1270	$extra_container_classes = array();
1271	if ( $is_forced_horizontal ) {
1272	$extra_container_classes[] = 'is-forced-horizontal-form';
1273	}
1274	if ( $is_single_input_form ) {
1275	$extra_container_classes[] = 'is-single-input-form';
1276	}
1277	$container_classes_string = self::get_block_container_classes( $attributes, $extra_container_classes );
1278
1279	$is_reload_after_success = isset( $_GET['contact-form-id'] )
1280	&& (int) $_GET['contact-form-id'] === (int) self::$last->get_attribute( 'id' )
1281	&& isset( $_GET['contact-form-sent'] )
1282	&& isset( $_GET['contact-form-hash'] )
1283	&& is_string( $_GET['contact-form-hash'] )
1284	&& hash_equals( $form->hash, wp_unslash( $_GET['contact-form-hash'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
1285
1286	$feedback_id = 0;
1287	$is_reload_nonce_valid = false;
1288
1289	if ( $is_reload_after_success ) {
1290	$feedback_id = (int) $_GET['contact-form-sent'];
1291	$is_reload_nonce_valid = isset( $_GET['_wpnonce'] )
1292	&& wp_verify_nonce( sanitize_key( wp_unslash( $_GET['_wpnonce'] ) ), "contact-form-sent-{$feedback_id}" );
1293	}
1294
1295	$max_steps = 0;
1296	if ( preg_match_all( '/data-wp-context=[\'"]?{"step":(\d+)}[\'"]?/', $content, $matches ) ) {
1297	if ( ! empty( $matches[1] ) ) {
1298	$max_steps = max( array_map( 'intval', $matches[1] ) );
1299	}
1300	}
1301
1302	$is_multistep = $max_steps > 0;
1303	$element_id = 'jp-form-' . esc_attr( $form->hash );
1304
1305	// Initial data used to render the success message when the page is reloaded after a successful submission
1306	// Don't show the feedback details unless the nonce matches
1307	$submission_data = null;
1308
1309	if ( $is_reload_after_success && $is_reload_nonce_valid ) {
1310	$response = Feedback::get( (int) $_GET['contact-form-sent'] );
1311
1312	if ( $response ) {
1313	$submission_data = $response->get_compiled_fields( 'web', 'collection' );
1314	}
1315	}
1316
1317	$formatted_submission_data = $submission_data ? self::format_submission_data( $submission_data ) : array();
1318	$submission_success = $form->is_response_without_reload_enabled && $is_reload_after_success;
1319	$has_custom_redirect = $form->has_custom_redirect();
1320
1321	$default_context = array(
1322	'formId' => $id,
1323	'formHash' => $form->hash,
1324	'showErrors' => $form->has_errors(), // We toggle this to true when we want to show the user errors right away.
1325	'errors' => array(), // This should be a associative array.
1326	'fields' => array(),
1327	'isMultiStep' => $is_multistep, // Whether the form is a multistep form.
1328	'useAjax' => $form->is_response_without_reload_enabled && ! $has_custom_redirect,
1329	'submissionData' => $submission_data,
1330	'formattedSubmissionData' => $formatted_submission_data,
1331	'submissionSuccess' => $submission_success,
1332	'submissionError' => null,
1333	'elementId' => $element_id,
1334	'isSingleInputForm' => $is_single_input_form,
1335	'isForcedHorizontal' => $is_forced_horizontal,
1336	);
1337
1338	if ( $is_multistep ) {
1339	$multistep_context = array(
1340	'currentStep' => isset( $_GET[ $id . '-step' ] ) ? absint( $_GET[ $id . '-step' ] ) : 1, // phpcs:ignore WordPress.Security.NonceVerification.Recommended
1341	'maxSteps' => $max_steps,
1342	'direction' => 'forward', // Default direction for animations
1343	'transition' => $form->get_attribute( 'stepTransition' ) ? $form->get_attribute( 'stepTransition' ) : 'fade-slide', // Transition style for step animations
1344	);
1345
1346	if ( ! is_array( $context ) ) {
1347	$context = array();
1348	}
1349	$context = array_merge( $context, $multistep_context );
1350	}
1351
1352	$context = is_array( $context ) ? array_merge( $default_context, $context ) : $default_context;
1353
1354	$r = '';
1355	$r .= "<div data-test='contact-form'
1356	id='contact-form-$id'
1357	class='{$container_classes_string}'
1358	data-wp-interactive='jetpack/form' " . wp_interactivity_data_wp_context( $context ) . "
1359	data-wp-watch--scroll-to-wrapper=\"callbacks.scrollToWrapper\"
1360	>\n";
1361
1362	if ( $form->is_response_without_reload_enabled ) {
1363	$r .= self::render_ajax_success_wrapper( $form, $submission_success, $formatted_submission_data );
1364	}
1365
1366	if ( $form->has_errors() ) {
1367	// There are errors. Display them
1368	$r .= "<div class='form-error'>\n<h3>" . __( 'Error!', 'jetpack-forms' ) . "</h3>\n<ul class='form-errors'>\n";
1369	foreach ( $form->get_error_messages() as $message ) {
1370	$r .= "\t<li class='form-error-message'>" . esc_html( $message ) . "</li>\n";
1371	}
1372	$r .= "</ul>\n</div>\n\n";
1373	}
1374
1375	if ( $is_reload_after_success && $form->is_response_without_reload_enabled ) {
1376	$r .= '<noscript>';
1377	$r .= self::render_noscript_success_message( $is_reload_nonce_valid, $feedback_id, $form );
1378	$r .= '</noscript>';
1379	}
1380
1381	if ( $is_reload_after_success && ! $form->is_response_without_reload_enabled ) {
1382	// The contact form was submitted. Show the success message/results.
1383	$r .= self::render_noscript_success_message( $is_reload_nonce_valid, $feedback_id, $form );
1384	} else {
1385	// Nothing special - show the normal contact form
1386	if ( $form->get_attribute( 'widget' )
1387	\|\| $form->get_attribute( 'block_template' )
1388	\|\| $form->get_attribute( 'block_template_part' ) ) {
1389	// Submit form to the current URL
1390	$url = remove_query_arg( array( 'contact-form-id', 'contact-form-sent', 'action', '_wpnonce' ) );
1391	} else {
1392	// Submit form to the post permalink
1393	$url = get_permalink();
1394	if ( $multipage && $page ) {
1395	$url = add_query_arg( 'page', $page, $url );
1396	}
1397	}
1398
1399	// For SSL/TLS page. See RFC 3986 Section 4.2
1400	$url = set_url_scheme( $url );
1401
1402	// May eventually want to send this to admin-post.php...
1403	/**
1404	* Filter the contact form action URL.
1405	*
1406	* @module contact-form
1407	*
1408	* @since 1.3.1
1409	*
1410	* @param string $contact_form_id Contact form post URL.
1411	* @param $post $GLOBALS['post'] Post global variable.
1412	* @param int $id Contact Form ID.
1413	*/
1414	$url = apply_filters( 'grunion_contact_form_form_action', $url, $GLOBALS['post'], $id, $page );
1415	$has_submit_button_block = str_contains( $content, 'wp-block-jetpack-button' ) \|\| str_contains( $content, 'wp-block-button' );
1416	$form_classes = 'contact-form commentsblock jetpack-contact-form__form';
1417	if ( $submission_success ) {
1418	$form_classes .= ' submission-success';
1419	}
1420
1421	if ( isset( $attributes['layout'] ) ) {
1422	$form_classes .= ' has-jetpack-form-layout';
1423	} else {
1424	$form_classes .= ' has-no-jetpack-form-layout';
1425	}
1426
1427	$post_title = $post->post_title ?? '';
1428	$form_accessible_name = ! empty( $attributes['formTitle'] ) ? $attributes['formTitle'] : $post_title;
1429	$form_aria_label = isset( $form_accessible_name ) && ! empty( $form_accessible_name ) ? 'aria-label="' . esc_attr( $form_accessible_name ) . '"' : '';
1430
1431	$r .= "<form action='" . esc_url( $url ) . "'
1432	id='" . $element_id . "'
1433	method='post'
1434	class='" . esc_attr( $form_classes ) . "' $form_aria_label
1435	data-wp-on--submit=\"actions.onFormSubmit\"
1436	data-wp-on--reset=\"actions.onFormReset\"
1437	data-wp-class--submission-success=\"context.submissionSuccess\"
1438	data-wp-class--is-first-step=\"state.isFirstStep\"
1439	data-wp-class--is-last-step=\"state.isLastStep\"
1440	data-wp-class--is-ajax-form=\"context.useAjax\"
1441	novalidate >\n";
1442
1443	if ( $is_multistep ) { // This makes the "enter" key work in multi-step forms as expected.
1444	$r .= '<input type="submit" style="display: none;" />';
1445	}
1446	$r .= "<input type='hidden' name='jetpack_contact_form_jwt' value='" . esc_attr( $form->get_jwt() ) . "' />\n";
1447	$r .= $form->body;
1448
1449	if ( $is_multistep ) {
1450	$r = preg_replace( '/<div class="wp-block-jetpack-form-step-navigation__wrapper/', self::render_error_wrapper() . ' <div class="wp-block-jetpack-form-step-navigation__wrapper', $r, 1 );
1451	} elseif ( $has_submit_button_block ) {
1452	$r = self::prepare_submit_button( $r );
1453	// Place the error wrapper before the FIRST button block only to avoid duplicates (e.g., navigation buttons in multistep forms).
1454	// Replace only the first occurrence of a wp-block-jetpack-button prepending it with the error wrapper.
1455	// Fallback with same strategy for new core button blocks.
1456	if ( $is_forced_horizontal \|\| $is_single_input_form ) {
1457	// When user forced a horizontal layout, place the error wrapper
1458	// after the form body.
1459	$r .= self::render_error_wrapper( 'is-horizontal' );
1460	} else {
1461	// Place the error wrapper before the FIRST button block only to avoid duplicates (e.g., navigation buttons in multistep forms).
1462	// Replace only the first occurrence.
1463	$r = preg_replace( '/<div class="wp-block-jetpack-button/', self::render_error_wrapper() . ' <div class="wp-block-jetpack-button', $r, 1 );
1464	if ( str_contains( $r, 'wp-block-button' ) ) {
1465	$r = preg_replace( '/<div class="wp-block-button/', self::render_error_wrapper() . ' <div class="wp-block-button', $r, 1 );
1466	}
1467	}
1468	}
1469
1470	// In new versions of the contact form block the button is an inner block
1471	// so the button does not need to be constructed server-side.
1472	if ( ! $has_submit_button_block ) {
1473	$r .= "\t<p class='contact-submit'>\n";
1474
1475	$gutenberg_submit_button_classes = '';
1476	if ( ! empty( $attributes['submitButtonClasses'] ) ) {
1477	$gutenberg_submit_button_classes = ' ' . $attributes['submitButtonClasses'];
1478	}
1479
1480	/**
1481	* Filter the contact form submit button class attribute.
1482	*
1483	* @module contact-form
1484	*
1485	* @since 6.6.0
1486	*
1487	* @param string $class Additional CSS classes for button attribute.
1488	*/
1489	$submit_button_class = apply_filters( 'jetpack_contact_form_submit_button_class', 'pushbutton-wide' . $gutenberg_submit_button_classes );
1490
1491	$submit_button_styles = '';
1492	if ( ! empty( $attributes['customBackgroundButtonColor'] ) ) {
1493	$submit_button_styles .= 'background-color: ' . $attributes['customBackgroundButtonColor'] . '; ';
1494	}
1495	if ( ! empty( $attributes['customTextButtonColor'] ) ) {
1496	$submit_button_styles .= 'color: ' . $attributes['customTextButtonColor'] . ';';
1497	}
1498	if ( ! empty( $attributes['submitButtonText'] ) ) {
1499	$submit_button_text = $attributes['submitButtonText'];
1500	} else {
1501	$submit_button_text = $form->get_attribute( 'submit_button_text' );
1502	}
1503
1504	$r .= self::render_error_wrapper();
1505	$r .= "\t\t<button type='submit' class='" . esc_attr( $submit_button_class ) . "'";
1506	if ( ! empty( $submit_button_styles ) ) {
1507	$r .= " style='" . esc_attr( $submit_button_styles ) . "'";
1508	}
1509	$r .= '>';
1510	$r .= wp_kses(
1511	$submit_button_text,
1512	self::$allowed_html_tags_for_submit_button
1513	) . '</button>';
1514	}
1515
1516	if ( is_user_logged_in() ) {
1517	$r .= "\t\t" . wp_nonce_field( 'contact-form_' . $id, '_wpnonce', true, false ) . "\n"; // nonce and referer
1518	}
1519
1520	if ( isset( $attributes['hasFormSettingsSet'] ) && $attributes['hasFormSettingsSet'] ) {
1521	$r .= "\t\t<input type='hidden' name='is_block' value='1' />\n";
1522	}
1523	$r .= "\t\t<input type='hidden' name='contact-form-id' value='$id' />\n";
1524	$r .= "\t\t<input type='hidden' name='action' value='grunion-contact-form' />\n";
1525	$r .= "\t\t<input type='hidden' name='contact-form-hash' value='" . esc_attr( $form->hash ) . "' />\n";
1526
1527	if ( ! $has_submit_button_block ) {
1528	$r .= "\t</p>\n";
1529	}
1530
1531	$r .= "</form>\n";
1532	}
1533
1534	$r .= '</div>';
1535
1536	/**
1537	* Filter the contact form, allowing plugins to modify the HTML.
1538	*
1539	* @module contact-form
1540	*
1541	* @since 10.2.0
1542	*
1543	* @param string $r The contact form HTML.
1544	*/
1545	return apply_filters( 'jetpack_contact_form_html', $r );
1546	}
1547
1548	/**
1549	* Prepare the submit button for the contact form.
1550	* Add interactivity attributes to submit buttons identified by:
1551	* - Legacy: type="submit" attribute
1552	* - New: is-submit or form-button-submit class
1553	*
1554	* @param string $content - the content of the submit button.
1555	*
1556	* @return string - the prepared content of the submit button.
1557	*/
1558	private static function prepare_submit_button( $content ) {
1559	if ( ! class_exists( \WP_HTML_Tag_Processor::class ) ) {
1560	return $content;
1561	}
1562
1563	$p = new \WP_HTML_Tag_Processor( $content );
1564	while ( $p->next_tag( 'button' ) ) {
1565	$is_submit_by_type = 'submit' === $p->get_attribute( 'type' );
1566	$is_submit_by_class = $p->has_class( 'is-submit' ) \|\| $p->has_class( 'form-button-submit' );
1567
1568	if ( $is_submit_by_type \|\| $is_submit_by_class ) {
1569	self::add_submit_button_interactivity_attributes( $p );
1570	}
1571	}
1572
1573	return $p->get_updated_html();
1574	}
1575
1576	/**
1577	* Adds Interactivity API attributes to the current element in a WP_HTML_Tag_Processor.
1578	*
1579	* Sets data-wp-class, data-wp-bind--aria-disabled, and data-wp-bind--disabled
1580	* on the submit button so the Interactivity API can toggle visual feedback
1581	* (spinner class, disabled state) while the form is submitting.
1582	*
1583	* Called from both single-step forms (prepare_submit_button) and multi-step
1584	* forms (gutenblock_render_form_step_navigation) to keep the attribute list
1585	* in one place.
1586	*
1587	* @param \WP_HTML_Tag_Processor $processor Tag processor positioned on a <button> element.
1588	* @return void
1589	*/
1590	public static function add_submit_button_interactivity_attributes( $processor ) {
1591	if ( ! $processor \|\| ! is_a( $processor, \WP_HTML_Tag_Processor::class ) ) {
1592	return;
1593	}
1594	$processor->set_attribute( 'data-wp-class--is-submitting', 'state.isSubmitting' );
1595	$processor->set_attribute( 'data-wp-bind--aria-disabled', 'state.isAriaDisabled' );
1596	$processor->set_attribute( 'data-wp-bind--disabled', 'state.isAriaDisabled' );
1597	}
1598
1599	/**
1600	* Renders the success message for the contact form when js is disabled or not desired.
1601	*
1602	* @param bool $is_reload_nonce_valid - whether the nonce is valid.
1603	* @param int $feedback_id - the feedback ID.
1604	* @param Contact_Form $form - the contact form.
1605	*
1606	* @return string HTML string for the success message.
1607	*/
1608	private static function render_noscript_success_message( $is_reload_nonce_valid, $feedback_id, $form ) {
1609	$back_url = remove_query_arg( array( 'contact-form-id', 'contact-form-sent', '_wpnonce', 'contact-form-hash' ) );
1610	$contact_form_id = sanitize_text_field( wp_unslash( $_GET['contact-form-id'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
1611	$disable_go_back = $form->get_attribute( 'disableGoBack' );
1612
1613	$message = '';
1614
1615	$message .= '<style>
1616	.contact-form-ajax-submission {
1617	display: none;
1618	}
1619
1620	#contact-form-' . $contact_form_id . ' form.contact-form {
1621	display: none;
1622	}
1623	</style>';
1624
1625	$message .= '<div class="contact-form-submission">';
1626	$success_message = '';
1627
1628	if ( ! $disable_go_back ) {
1629	$success_message = '<p class="go-back-message"> <a class="link" href="' . esc_url( $back_url ) . '">' . esc_html__( '← Back', 'jetpack-forms' ) . '</a> </p>';
1630	}
1631
1632	$success_message .= '<h4 id="contact-form-success-header">' . esc_html( $form->get_attribute( 'customThankyouHeading' ) ) . "</h4>\n\n";
1633
1634	// Don't show the feedback details unless the nonce matches
1635	if ( $is_reload_nonce_valid ) {
1636	$success_message .= self::success_message( $feedback_id, $form );
1637	}
1638
1639	/**
1640	* Filter the message returned after a successful contact form submission.
1641	*
1642	* @module contact-form
1643	*
1644	* @since 1.3.1
1645	*
1646	* @param string $message Success message.
1647	*/
1648	$message .= apply_filters( 'grunion_contact_form_success_message', $success_message );
1649	$message .= '</div>';
1650
1651	return $message;
1652	}
1653
1654	/**
1655	* Helper function to format the submission data for the success message.
1656	*
1657	* @param array $data The submission data (in 'collection' format with type).
1658	*
1659	* @return array The formatted submission data.
1660	*/
1661	private static function format_submission_data( $data ) {
1662	$formatted_submission_data = array();
1663
1664	foreach ( $data as $field_data ) {
1665	$url = self::get_url( $field_data['value'] );
1666	$images = self::get_images( $field_data['value'] );
1667	$files = self::get_files( $field_data['value'] );
1668	$rating = self::get_rating( $field_data['value'] );
1669	$type = isset( $field_data['type'] ) ? $field_data['type'] : 'text';
1670
1671	$formatted_submission_data[] = array(
1672	'label' => Util::maybe_add_colon_to_label( $field_data['label'] ),
1673	'value' => self::maybe_transform_value( $field_data['value'] ),
1674	'images' => $images,
1675	'url' => $url,
1676	'files' => $files,
1677	'rating' => $rating,
1678	'type' => $type,
1679	'showPlainValue' => empty( $url ) && empty( $images ) && empty( $files ) && empty( $rating ),
1680	);
1681	}
1682
1683	return $formatted_submission_data;
1684	}
1685
1686	/**
1687	* Get the URL from a URL field value if present.
1688	*
1689	* @param mixed $value The field value.
1690	*
1691	* @return string\|null The URL if this is a URL field, null otherwise.
1692	*/
1693	private static function get_url( $value ) {
1694	if ( is_array( $value ) && isset( $value['type'] ) && $value['type'] === 'url' && ! empty( $value['url'] ) ) {
1695	$url = $value['url'];
1696
1697	// Prepend https:// if no protocol is specified.
1698	if ( ! preg_match( '#^https?://#i', $url ) ) {
1699	$url = 'https://' . $url;
1700	}
1701
1702	// Validate URL - only http and https protocols are allowed for safety.
1703	$url = esc_url( $url, array( 'http', 'https' ) );
1704	return ! empty( $url ) ? $url : null;
1705	}
1706	return null;
1707	}
1708
1709	/**
1710	* Get the rating data from a rating field value if present.
1711	*
1712	* @param mixed $value The field value.
1713	*
1714	* @return array\|null The rating data if this is a rating field, null otherwise.
1715	*/
1716	private static function get_rating( $value ) {
1717	if ( is_array( $value ) && isset( $value['type'] ) && $value['type'] === 'rating' ) {
1718	$rating = isset( $value['rating'] ) ? (int) $value['rating'] : 0;
1719	$max_rating = isset( $value['maxRating'] ) ? (int) $value['maxRating'] : 5;
1720	$icon_style = isset( $value['iconStyle'] ) ? $value['iconStyle'] : 'stars';
1721
1722	// Generate translated screen reader text.
1723	$icon_label = 'hearts' === $icon_style
1724	? _n( 'heart', 'hearts', $max_rating, 'jetpack-forms' )
1725	: _n( 'star', 'stars', $max_rating, 'jetpack-forms' );
1726
1727	return array(
1728	'rating' => $rating,
1729	'maxRating' => $max_rating,
1730	'iconStyle' => $icon_style,
1731	/* translators: 1: rating value, 2: maximum rating, 3: icon type (stars or hearts) */
1732	'screenReaderText' => sprintf( __( 'Rating: %1$d out of %2$d %3$s', 'jetpack-forms' ), $rating, $max_rating, $icon_label ),
1733	);
1734	}
1735	return null;
1736	}
1737
1738	/**
1739	* Get the SVG icon for a field type.
1740	*
1741	* @param string $field_type The field type.
1742	*
1743	* @return string The SVG icon HTML.
1744	*/
1745	private static function get_field_type_icon( $field_type ) {
1746	// Map field types that don't follow the 'field-{type}' naming convention.
1747	static $type_exceptions = array(
1748	'phone' => 'field-telephone',
1749	'telephone' => 'field-telephone',
1750	'radio' => 'field-single-choice',
1751	'checkbox-multiple' => 'field-multiple-choice',
1752	);
1753
1754	$block_dir = $type_exceptions[ $field_type ] ?? 'field-' . $field_type;
1755
1756	// Cache loaded SVG content to avoid re-reading files.
1757	static $icon_cache = array();
1758
1759	if ( ! isset( $icon_cache[ $block_dir ] ) ) {
1760	$svg_file = dirname( __DIR__ ) . '/blocks/' . $block_dir . '/icon.svg';
1761	$svg = '';
1762
1763	if ( file_exists( $svg_file ) ) {
1764	$svg = file_get_contents( $svg_file ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents -- Reading local package file, not a remote URL.
1765	}
1766
1767	if ( $svg ) {
1768	$svg = trim( $svg );
1769
1770	$icon_cache[ $block_dir ] = $svg;
1771	} else {
1772	$icon_cache[ $block_dir ] = '';
1773	}
1774	}
1775
1776	return $icon_cache[ $block_dir ];
1777	}
1778
1779	/**
1780	* Helper function that display the error wrapper.
1781	*
1782	* @param string $classes - the class names to add to the error wrapper.
1783	* @return string HTML string for the error wrapper.
1784	*/
1785	private static function render_error_wrapper( $classes = '' ) {
1786	$class_attr = $classes ? ' ' . esc_attr( $classes ) : '';
1787	$html = '<div class="contact-form__error' . $class_attr . '" data-wp-class--show-errors="state.showFormErrors">';
1788	$html .= '<span class="contact-form__warning-icon" aria-hidden="true"><i></i></span>';
1789	$html .= '<span class="contact-form__error-message" tabindex="-1" data-wp-watch="callbacks.focusOnValidationError" data-wp-text="state.getFormErrorMessage"></span>';
1790	$html .= '<ul aria-label="' . esc_attr__( 'Form errors', 'jetpack-forms' ) . '">
1791	<template data-wp-each="state.getErrorList" data-wp-key="context.item.id">
1792	<li><a data-wp-bind--href="context.item.anchor" data-wp-on--click="actions.scrollIntoView" data-wp-text="context.item.label"></a></li>
1793	</template>
1794	</ul>';
1795	$html .= '</div>';
1796
1797	$html .= '<div class="contact-form__error" data-wp-class--show-errors="state.showSubmissionError" data-wp-text="context.submissionError" tabindex="-1" data-wp-watch="callbacks.focusOnSubmissionError"></div>';
1798	return $html;
1799	}
1800
1801	/**
1802	* Renders the success wrapper after a form is submitted without reloading the page.
1803	*
1804	* @param Contact_Form $form - the contact form.
1805	* @param bool $submission_success - whether the form has already been submitted.
1806	* @param array $formatted_submission_data - the formatted submission data.
1807	*
1808	* @return string HTML string for the success wrapper.
1809	*/
1810	private static function render_ajax_success_wrapper( $form, $submission_success = false, $formatted_submission_data = array() ) {
1811	$classes = 'contact-form-submission contact-form-ajax-submission';
1812
1813	if ( $submission_success ) {
1814	$classes .= ' submission-success';
1815	}
1816
1817	$back_url = remove_query_arg( array( 'contact-form-id', 'contact-form-sent', '_wpnonce', 'contact-form-hash' ) );
1818	$disable_go_back = $form->get_attribute( 'disableGoBack' );
1819	$disable_summary = $form->get_disable_summary();
1820	$confirmation_type = $form->get_confirmation_type();
1821
1822	if ( $confirmation_type === 'redirect' ) {
1823	return '';
1824	}
1825
1826	$html = '<div class="' . esc_attr( $classes ) . '" data-wp-bind--aria-hidden="state.isSuccessMessageAriaHidden" data-wp-class--submission-success="context.submissionSuccess" id="contact-form-success-' . esc_attr( $form->hash ) . '" tabindex="-1" aria-labelledby="contact-form-success-header-' . esc_attr( $form->hash ) . '">';
1827
1828	if ( ! $disable_go_back ) {
1829	$html .= '<p class="go-back-message">';
1830	$html .= '<a class="link" role="button" tabindex="0" data-wp-on--click="actions.goBack" href="' . esc_url( $back_url ) . '">' . esc_html__( '← Back', 'jetpack-forms' ) . '</a>';
1831	$html .= '</p>';
1832	}
1833
1834	$html .=
1835	'<h4 data-wp-bind--aria-hidden="state.isSuccessMessageAriaHidden" id="contact-form-success-header-' . esc_attr( $form->hash ) . '">' . esc_html( $form->get_attribute( 'customThankyouHeading' ) ) .
1836	"</h4>\n\n";
1837
1838	if ( 'text' === $confirmation_type ) {
1839	$raw_message = $form->get_attribute( 'customThankyouMessage' );
1840
1841	if ( $raw_message !== '' ) {
1842	// Add more allowed HTML elements for file download links
1843	$allowed_html = array(
1844	'br' => array(),
1845	'blockquote' => array( 'class' => array() ),
1846	'p' => array(),
1847	'div' => array(
1848	'class' => array(),
1849	'style' => array(),
1850	),
1851	'span' => array(
1852	'class' => array(),
1853	'style' => array(),
1854	),
1855	);
1856
1857	$message = wp_kses( $raw_message, $allowed_html );
1858	$message = '<div class="jetpack_forms_contact-form-custom-success-message">' . $message . '</div>';
1859
1860	$html .= $message;
1861	}
1862
1863	if ( ! $disable_summary ) {
1864	$html .= '<template data-wp-each--submission="context.formattedSubmissionData">
1865	<div class="jetpack_forms_contact-form-success-summary">
1866	<div class="field-name-wrapper">
1867	<div class="field-type-icon" data-wp-watch="callbacks.watchFieldTypeIcon"></div>
1868	<div class="field-name" data-wp-text="context.submission.label" data-wp-bind--hidden="!context.submission.label"></div>
1869	</div>
1870	<div class="field-value" data-wp-text="context.submission.value" data-wp-bind--hidden="!context.submission.showPlainValue"></div>
1871	<a class="field-url" data-wp-bind--href="context.submission.url" data-wp-text="context.submission.value" data-wp-bind--hidden="!context.submission.url" target="_blank" rel="noopener noreferrer"></a>
1872	<div class="field-rating" data-wp-bind--hidden="!context.submission.rating" data-wp-watch="callbacks.watchRatingIcons"></div>
1873	<div class="field-images" data-wp-bind--hidden="!context.submission.images">
1874	<template data-wp-each--image="context.submission.images">
1875	<div class="field-image-option" data-wp-class--is-empty="!context.image.src">
1876	<figure class="field-image-option__image" data-wp-class--is-empty="!context.image.src">
1877	<img data-wp-bind--src="context.image.src" data-wp-bind--hidden="!context.image.src" />
1878	<img src="data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=" data-wp-bind--hidden="context.image.src" />
1879	</figure>
1880	<div class="field-image-option__label-wrapper">
1881	<span class="field-image-option__label-code" data-wp-text="context.image.letterCode"></span>
1882	<span class="field-image-option__label" data-wp-text="context.image.label" data-wp-bind--hidden="!context.image.label"></span>
1883	</div>
1884	</div>
1885	</template>
1886	</div>
1887	<div class="field-files" data-wp-bind--hidden="!context.submission.files">
1888	<template data-wp-each--file="context.submission.files">
1889	<div class="field-file">
1890	<div class="field-file__thumbnail" data-wp-style--background-image="context.file.previewUrl" data-wp-style--mask-image="context.file.iconUrl" data-wp-bind--hidden="!context.file.hasPreview"></div>
1891	<svg class="field-file__icon" data-wp-bind--hidden="context.file.hasPreview" width="20" height="20" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
1892	<path d="M14 2H6C4.9 2 4 2.9 4 4V20C4 21.1 4.89 22 5.99 22H18C19.1 22 20 21.1 20 20V8L14 2ZM18 20H6V4H13V9H18V20Z" fill="currentColor"/>
1893	</svg>
1894	<span class="field-file__name" data-wp-text="context.file.name"></span>
1895	<span class="field-file__size" data-wp-text="context.file.size"></span>
1896	</div>
1897	</template>
1898	</div>
1899	</div>
1900	</template>';
1901
1902	// For each entry in the submission data array, render a div with the label and value.
1903	// Structure must match the template above for proper hydration.
1904	foreach ( $formatted_submission_data as $submission ) {
1905	$has_url = ! empty( $submission['url'] );
1906	$has_images = ! empty( $submission['images'] );
1907	$has_files = ! empty( $submission['files'] );
1908	$has_rating = ! empty( $submission['rating'] );
1909	$show_plain_val = ! $has_url && ! $has_images && ! $has_files && ! $has_rating;
1910	$field_type = isset( $submission['type'] ) ? $submission['type'] : 'text';
1911
1912	$html .= '<div data-wp-each-child class="jetpack_forms_contact-form-success-summary">';
1913
1914	// field-name-wrapper: contains icon and label.
1915	$html .= '<div class="field-name-wrapper">';
1916	// field-type-icon: rendered based on field type.
1917	// The data-rendered-type attribute enables hydration optimization by allowing
1918	// the JS callback to skip re-rendering when the icon is already correct.
1919	$html .= '<div class="field-type-icon" data-wp-watch="callbacks.watchFieldTypeIcon" data-rendered-type="' . esc_attr( $field_type ) . '">' . self::get_field_type_icon( $field_type ) . '</div>';
1920	// field-name: always present.
1921	$html .= '<div class="field-name" data-wp-text="context.submission.label" data-wp-bind--hidden="!context.submission.label">' . esc_html( $submission['label'] ) . '</div>';
1922	$html .= '</div>'; // Close field-name-wrapper.
1923
1924	// field-value: always present, hidden when URL, images, or files exist.
1925	$html .= '<div class="field-value" data-wp-text="context.submission.value" data-wp-bind--hidden="!context.submission.showPlainValue"';
1926	$html .= $show_plain_val ? '' : ' hidden';
1927	$html .= '>' . ( $show_plain_val ? esc_html( $submission['value'] ) : '' ) . '</div>';
1928
1929	// field-url: always present, hidden when no URL.
1930	$html .= '<a class="field-url" data-wp-bind--href="context.submission.url" data-wp-text="context.submission.value" data-wp-bind--hidden="!context.submission.url" target="_blank" rel="noopener noreferrer"';
1931	$html .= $has_url ? ' href="' . esc_attr( $submission['url'] ) . '"' : ' hidden';
1932	$html .= '>' . ( $has_url ? esc_html( $submission['value'] ) : '' ) . '</a>';
1933
1934	// Field rating - only visible when rating is present. JS renders the SVG icons.
1935	$html .= '<div class="field-rating" data-wp-bind--hidden="!context.submission.rating" data-wp-watch="callbacks.watchRatingIcons"';
1936	$html .= $has_rating ? ' data-rating="' . esc_attr( wp_json_encode( $submission['rating'], JSON_UNESCAPED_SLASHES ) ) . '">' : ' hidden>';
1937	$html .= '</div>';
1938
1939	// field-images: always present, hidden when no images.
1940	$html .= '<div class="field-images" data-wp-bind--hidden="!context.submission.images"';
1941	$html .= $has_images ? '' : ' hidden';
1942	$html .= '>';
1943
1944	if ( $has_images ) {
1945	foreach ( $submission['images'] as $image ) {
1946	$image_src = $image['src'] ?? '';
1947	$image_letter_code = $image['letterCode'] ?? '';
1948	$image_label = $image['label'] ?? '';
1949
1950	$html .= '<div data-wp-each-child class="field-image-option ' . ( empty( $image_src ) ? 'is-empty' : '' ) . '" data-wp-class--is-empty="!context.image.src">';
1951	$html .= '<figure class="field-image-option__image ' . ( empty( $image_src ) ? 'is-empty' : '' ) . '" data-wp-class--is-empty="!context.image.src">';
1952	$html .= '<img data-wp-bind--src="context.image.src" src="' . esc_attr( $image_src ) . '" data-wp-bind--hidden="!context.image.src"' . ( empty( $image_src ) ? ' hidden' : '' ) . '/>';
1953	$html .= '<img src="data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=" data-wp-bind--hidden="context.image.src"' . ( empty( $image_src ) ? '' : ' hidden' ) . '/>';
1954	$html .= '</figure>';
1955	$html .= '<div class="field-image-option__label-wrapper">';
1956	$html .= '<span class="field-image-option__label-code" data-wp-text="context.image.letterCode">' . esc_html( $image_letter_code ) . '</span>';
1957	$html .= '<span class="field-image-option__label" data-wp-text="context.image.label" data-wp-bind--hidden="!context.image.label"' . ( empty( $image_label ) ? ' hidden' : '' ) . '>' . esc_html( $image_label ) . '</span>';
1958	$html .= '</div></div>';
1959	}
1960	} else {
1961	// Empty template for hydration when no images.
1962	$html .= '<template data-wp-each--image="context.submission.images"></template>';
1963	}
1964
1965	$html .= '</div>'; // Close field-images.
1966
1967	// field-files: always present, hidden when no files.
1968	$html .= '<div class="field-files" data-wp-bind--hidden="!context.submission.files"';
1969	$html .= $has_files ? '' : ' hidden';
1970	$html .= '>';
1971
1972	if ( $has_files ) {
1973	foreach ( $submission['files'] as $file ) {
1974	$file_name = $file['name'] ?? '';
1975	$file_size = $file['size'] ?? '';
1976	$has_preview = $file['hasPreview'] ?? false;
1977
1978	$html .= '<div data-wp-each-child class="field-file">';
1979	// Thumbnail for AJAX submissions (has preview data)
1980	$html .= '<div class="field-file__thumbnail" data-wp-style--background-image="context.file.previewUrl" data-wp-style--mask-image="context.file.iconUrl" data-wp-bind--hidden="!context.file.hasPreview"';
1981	$html .= $has_preview ? '' : ' hidden';
1982	$html .= '></div>';
1983	// SVG fallback for non-AJAX submissions
1984	$html .= '<svg class="field-file__icon" data-wp-bind--hidden="context.file.hasPreview" width="20" height="20" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"';
1985	$html .= $has_preview ? ' hidden' : '';
1986	$html .= '>';
1987	$html .= '<path d="M14 2H6C4.9 2 4 2.9 4 4V20C4 21.1 4.89 22 5.99 22H18C19.1 22 20 21.1 20 20V8L14 2ZM18 20H6V4H13V9H18V20Z" fill="currentColor"/>';
1988	$html .= '</svg>';
1989	$html .= '<span class="field-file__name" data-wp-text="context.file.name">' . esc_html( $file_name ) . '</span>';
1990	$html .= '<span class="field-file__size" data-wp-text="context.file.size">' . esc_html( $file_size ) . '</span>';
1991	$html .= '</div>';
1992	}
1993	} else {
1994	// Empty template for hydration when no files.
1995	$html .= '<template data-wp-each--file="context.submission.files"></template>';
1996	}
1997
1998	$html .= '</div></div>'; // Close field-files and summary.
1999	}
2000	}
2001	}
2002
2003	$html .= '</div>';
2004	return $html;
2005	}
2006
2007	/**
2008	* Returns a success message to be returned if the form is sent via AJAX.
2009	*
2010	* @param int $feedback_id - the feedback ID.
2011	* @param Contact_Form $form - the contact form.
2012	*
2013	* @return string $message
2014	*/
2015	public static function success_message( $feedback_id, $form ) {
2016	$message = '';
2017	$disable_summary = $form->get_disable_summary();
2018	$confirmation_type = $form->get_confirmation_type();
2019
2020	if ( 'text' === $confirmation_type ) {
2021	$raw_message = $form->get_attribute( 'customThankyouMessage' );
2022
2023	if ( $raw_message !== '' ) {
2024	// Add more allowed HTML elements for file download links
2025	$allowed_html = array(
2026	'br' => array(),
2027	'blockquote' => array( 'class' => array() ),
2028	'p' => array(),
2029	'div' => array(
2030	'class' => array(),
2031	'style' => array(),
2032	),
2033	'span' => array(
2034	'class' => array(),
2035	'style' => array(),
2036	),
2037	);
2038
2039	$message = wp_kses( $raw_message, $allowed_html );
2040	$message = '<div class="jetpack_forms_contact-form-custom-success-message">' . $message . '</div>';
2041	}
2042
2043	if ( ! $disable_summary ) {
2044	$compiled_form = self::get_compiled_form( $feedback_id );
2045
2046	$message .= '<div class="jetpack_forms_contact-form-success-summary"><p>' . implode( '</p><p>', $compiled_form ) . '</p></div>';
2047	}
2048	}
2049
2050	return $message;
2051	}
2052
2053	/**
2054	* Returns a compiled form with labels and values in a form of an array
2055	* of lines.
2056	*
2057	* @param int $feedback_id - the feedback ID.
2058	* @param Contact_Form $form - the form. This parameter is deprecated and will be removed in the next version.
2059	*
2060	* @return array $lines
2061	*/
2062	public static function get_compiled_form( $feedback_id, $form = null ) {
2063
2064	if ( $form ) {
2065	_deprecated_argument( __METHOD__, '5.1.0', '$form is deprecated' );
2066	}
2067	$compiled_form = self::get_raw_compiled_form_data( $feedback_id );
2068
2069	foreach ( $compiled_form as $field_index => $data ) {
2070	$safe_display_value = self::escape_and_sanitize_field_value( $data['value'] );
2071
2072	if ( '' === $safe_display_value ) {
2073	$safe_display_value = '-';
2074	}
2075
2076	if ( ! empty( $data['label'] ) ) {
2077	$safe_display_label = self::escape_and_sanitize_field_label( $data['label'] );
2078	$compiled_form[ $field_index ] = sprintf(
2079	'<div class="field-name">%1$s</div> <div class="field-value">%2$s</div>',
2080	Util::maybe_add_colon_to_label( $safe_display_label ),
2081	$safe_display_value
2082	);
2083	} else {
2084	// If there is no label, only output the field value, wrapped in its div.
2085	$compiled_form[ $field_index ] = sprintf(
2086	'<div class="field-value">%s</div>',
2087	$safe_display_value
2088	);
2089	}
2090	}
2091
2092	return $compiled_form;
2093	}
2094
2095	/**
2096	* Returns the JSON data for the form submission.
2097	*
2098	* @param int $feedback_id - the feedback ID.
2099	* @param Contact_Form $form - the form. This parameter is deprecated and will be removed in the next version.
2100	*
2101	* @deprecated 5.1.0
2102	*
2103	* @return array $json_data
2104	*/
2105	public static function get_json_data( $feedback_id, $form = null ) {
2106	_deprecated_function( __METHOD__, '5.1.0', 'Feedback::get( $feedback_id )->get_compiled_fields(\'ajax\', \'label\|value\' )' );
2107
2108	if ( $form ) {
2109	_deprecated_argument( __METHOD__, '5.1.0', '$form is deprecated' );
2110	}
2111
2112	$response = Feedback::get( $feedback_id );
2113	if ( ! $response ) {
2114	return array();
2115	}
2116
2117	return $response->get_compiled_fields( 'ajax', 'label\|value' );
2118	}
2119
2120	/**
2121	* Retrieves raw compiled form data.
2122	*
2123	* @param int $feedback_id - the feedback ID.
2124	* @param Contact_Form $form - the form. This parameter is deprecated and will be removed in the next version.
2125	*
2126	* @return array $raw_data Associative array where keys are field_index and values are arrays with 'label' and 'value'.
2127	*/
2128	private static function get_raw_compiled_form_data( $feedback_id, $form = null ) {
2129
2130	if ( $form ) {
2131	_deprecated_argument( __METHOD__, '5.1.0', '$form is deprecated' );
2132	}
2133
2134	$response = Feedback::get( $feedback_id );
2135	if ( $response instanceof Feedback ) {
2136	// If the response is an instance of Feedback, we can use its method to get compiled fields.
2137	return $response->get_compiled_fields( 'web', 'all' );
2138	}
2139
2140	return array();
2141	}
2142
2143	/**
2144	* Returns a compiled form with labels and values formatted for the email response
2145	* in a form of an array of lines.
2146	*
2147	* @param int $feedback_id - the feedback ID.
2148	* @param Contact_Form $form - the form.
2149	*
2150	* @return array $lines
2151	*/
2152	public static function get_compiled_form_for_email( $feedback_id, $form ) {
2153	return Feedback_Email_Renderer::get_compiled_form_for_email( $feedback_id, $form );
2154	}
2155
2156	/**
2157	* Escape and sanitize a field value.
2158	*
2159	* @param mixed $value - the value to sanitize.
2160	*
2161	* TODO: there's a mix of functionalities in this method. Unsure if it's fixable.
2162	* @return string
2163	*/
2164	public static function escape_and_sanitize_field_value( $value ) {
2165	if ( empty( $value ) ) {
2166	return '';
2167	}
2168
2169	// Handle file upload field (new structure with field_id and files array).
2170	if ( self::is_file_upload_field( $value ) ) {
2171	$files = $value['files'];
2172	if ( empty( $files ) ) {
2173	return '';
2174	}
2175
2176	$file_links = array();
2177	foreach ( $files as $file ) {
2178	if ( ! empty( $file['file_id'] ) ) {
2179	$file_name = isset( $file['name'] ) ? $file['name'] : __( 'Attached file', 'jetpack-forms' );
2180	$file_size = isset( $file['size'] ) ? size_format( $file['size'] ) : '';
2181
2182	$html = esc_html( $file_name );
2183	if ( ! empty( $file_size ) ) {
2184	$html .= sprintf( ' <span class="jetpack-forms-file-size">(%s)</span>', esc_html( $file_size ) );
2185	}
2186
2187	$file_links[] = $html;
2188	}
2189	}
2190
2191	return implode( '<br>', $file_links );
2192	}
2193
2194	// Handle rating field - return displayValue (e.g., "3/5") as text fallback.
2195	if ( is_array( $value ) && isset( $value['type'] ) && $value['type'] === 'rating' ) {
2196	return isset( $value['displayValue'] ) ? esc_html( $value['displayValue'] ) : '';
2197	}
2198
2199	// Handle URL field - return displayValue or url.
2200	if ( is_array( $value ) && isset( $value['type'] ) && $value['type'] === 'url' ) {
2201	return isset( $value['displayValue'] ) ? esc_html( $value['displayValue'] ) : ( isset( $value['url'] ) ? esc_html( $value['url'] ) : '' );
2202	}
2203
2204	if ( is_array( $value ) ) {
2205	return implode( ', ', array_map( array( __CLASS__, 'escape_and_sanitize_field_value' ), $value ) );
2206	}
2207
2208	$value = str_replace( array( '[', ']' ), array( '[', ']' ), $value );
2209	return nl2br( wp_kses( $value, array() ) );
2210	}
2211
2212	/**
2213	* Only strip out empty string values and keep all the other values as they are.
2214	*
2215	* @param string $single_value - the single value.
2216	*
2217	* @return bool
2218	*/
2219	public static function remove_empty( $single_value ) {
2220	return ( $single_value !== '' );
2221	}
2222
2223	/**
2224	* Get file upload fields
2225	*
2226	* @param int $post_id The feedback post ID.
2227	* @return array Array of file attachments or empty array.
2228	*/
2229	public static function get_file_upload_fields( $post_id ) {
2230	$content_fields = Contact_Form_Plugin::parse_fields_from_content( $post_id );
2231	$file_upload_fields = array();
2232	if ( isset( $content_fields['_feedback_all_fields'] ) ) {
2233	foreach ( $content_fields['_feedback_all_fields'] as $field_value ) {
2234	if ( self::is_file_upload_field( $field_value ) ) {
2235	$file_upload_fields[] = $field_value;
2236	}
2237	}
2238	}
2239
2240	return $file_upload_fields;
2241	}
2242
2243	/**
2244	* Delete files
2245	*
2246	* @param int $post_id The post ID being deleted.
2247	* @return void
2248	*/
2249	public static function delete_feedback_files( $post_id ) {
2250	if ( get_post_type( $post_id ) !== 'feedback' ) {
2251	return;
2252	}
2253	// $file_upload_fields = self::get_file_upload_fields( $post_id );
2254	// TODO: Implement delete_feedback_files() method.
2255	}
2256
2257	/**
2258	* Escape a shortcode value.
2259	*
2260	* Shortcode attribute values have a number of unfortunate restrictions, which fortunately we
2261	* can get around by adding some extra HTML encoding.
2262	*
2263	* The output HTML will have a few extra escapes, but that makes no functional difference.
2264	*
2265	* @since 9.1.0
2266	* @param string\|array $val Value to escape.
2267	* @return string
2268	*/
2269	public static function esc_shortcode_val( $val ) {
2270	// Sometimes we provide attributes in the form of a collection, hence making the value an array.
2271	// The above case triggers a warning about array to string conversion on formatting.php:1096.
2272	// This chunk will try to get the value from the usual label\|value structure. Otherwise, it will try
2273	// recursively to get the first value from the array.
2274	if ( is_array( $val ) ) {
2275	if ( isset( $val['value'] ) ) {
2276	$val = $val['value'];
2277	} else {
2278	return self::esc_shortcode_val( array_shift( $val ) );
2279	}
2280	}
2281
2282	return strtr(
2283	esc_html( $val ),
2284	array(
2285	// Brackets in attribute values break the shortcode parser.
2286	'[' => '[',
2287	']' => ']',
2288	// Shortcode parser screws up backslashes too, thanks to calls to `stripcslashes`.
2289	'\\' => '\',
2290	// The existing code here represents arrays as comma-separated strings.
2291	// Rather than trying to change representations now, just escape the commas in values.
2292	',' => ',',
2293	)
2294	);
2295	}
2296
2297	/**
2298	* The contact-field shortcode processor.
2299	* We use an object method here instead of a static Contact_Form_Field class method to parse contact-field shortcodes so that we can tie them to the contact-form object.
2300	*
2301	* @param array $attributes Key => Value pairs as parsed by shortcode_parse_atts().
2302	* @param string\|null $content The shortcode's inner content: [contact-field]$content[/contact-field].
2303	* @param WP_Block\|null $block The field block object.
2304	* @return string HTML for the contact form field
2305	*/
2306	public static function parse_contact_field( $attributes, $content, $block = null ) {
2307	if ( $block ) {
2308	$type = null;
2309	}
2310
2311	// Don't try to parse contact form fields if not inside a contact form (????)
2312	if ( ! Contact_Form_Plugin::$using_contact_form_field ) {
2313	$type = isset( $attributes['type'] ) ? $attributes['type'] : null;
2314
2315	if ( $type === 'checkbox-multiple' \|\| $type === 'radio' ) {
2316	preg_match_all( '/' . get_shortcode_regex() . '/s', $content, $matches );
2317
2318	if ( ! empty( $matches[0] ) ) {
2319	$options = array();
2320	foreach ( $matches[0] as $shortcode ) {
2321	$attr = shortcode_parse_atts( $shortcode );
2322	if ( ! empty( $attr['label'] ) ) {
2323	$options[] = $attr['label'];
2324	}
2325	}
2326
2327	$attributes['options'] = $options;
2328	}
2329	}
2330
2331	if ( ! isset( $attributes['label'] ) ) {
2332	$attributes['label'] = self::get_default_label_from_type( $type );
2333	}
2334
2335	$att_strs = array();
2336	foreach ( $attributes as $att => $val ) {
2337	if ( is_numeric( $att ) ) { // Is a valueless attribute
2338	$att_strs[] = self::esc_shortcode_val( $val );
2339	} elseif ( isset( $val ) ) { // A regular attr - value pair
2340	if ( ( $att === 'options' \|\| $att === 'values' ) && is_string( $val ) ) { // remove any empty strings
2341	$val = explode( ',', $val );
2342	}
2343	if ( is_array( $val ) ) {
2344	$val = array_filter( $val, array( __CLASS__, 'remove_empty' ) ); // removes any empty strings
2345	$att_strs[] = esc_html( $att ) . '="' . implode( ',', array_map( array( __CLASS__, 'esc_shortcode_val' ), $val ) ) . '"';
2346	} elseif ( is_bool( $val ) ) {
2347	$att_strs[] = esc_html( $att ) . '="' . ( $val ? '1' : '' ) . '"';
2348	} else {
2349	// Allow CSS in known style attributes byut sanitize with safecss_filter_attr.
2350	$allowed_style_keys = array( 'labelstyles', 'inputstyles', 'optionstyles', 'optionsstyles', 'stylevariationstyles' );
2351	if ( in_array( $att, $allowed_style_keys, true ) ) {
2352	$sanitized = safecss_filter_attr( (string) $val );
2353	$att_strs[] = esc_attr( $att ) . '="' . esc_html( $sanitized ) . '"';
2354	} else {
2355	$att_strs[] = esc_attr( $att ) . '="' . self::esc_shortcode_val( $val ) . '"';
2356	}
2357	}
2358	}
2359	}
2360
2361	$shortcode_type = 'contact-field';
2362	if ( $type === 'field-option' ) {
2363	$shortcode_type = 'contact-field-option';
2364	}
2365
2366	$html = '[' . $shortcode_type . ' ' . implode( ' ', $att_strs );
2367	$trimmed_content = isset( $content ) ? trim( $content ) : '';
2368
2369	if ( ! empty( $trimmed_content ) ) { // If there is content, let's add a closing tag
2370	$html .= ']' . esc_html( $trimmed_content ) . '[/contact-field]';
2371	} else { // Otherwise let's add a closing slash in the first tag
2372	$html .= '/]';
2373	}
2374
2375	return $html;
2376	}
2377
2378	// What does this actually means? What is the case where this is used?
2379	$form = self::$current_form;
2380
2381	$field = new Contact_Form_Field( $attributes, $content, $form );
2382
2383	$field_id = $field->get_attribute( 'id' );
2384	if ( $field_id ) {
2385	$form->fields[ $field_id ] = $field;
2386	} else {
2387	$form->fields[] = $field;
2388	}
2389
2390	if ( // phpcs:disable WordPress.Security.NonceVerification.Missing
2391	! isset( $_POST['jetpack_contact_form_jwt'] )
2392	&&
2393	isset( $_POST['action'] ) && 'grunion-contact-form' === $_POST['action']
2394	&&
2395	isset( $_POST['contact-form-id'] ) && (string) $form->get_attribute( 'id' ) === $_POST['contact-form-id']
2396	&&
2397	isset( $_POST['contact-form-hash'] ) && is_string( $_POST['contact-form-hash'] ) && hash_equals( $form->hash, wp_unslash( $_POST['contact-form-hash'] ) )
2398	) { // phpcs:enable
2399	// If we're processing a POST submission for this contact form, validate the field value so we can show errors as necessary.
2400	$field->validate();
2401	}
2402
2403	// Output HTML
2404	return $field->render();
2405	}
2406
2407	/**
2408	* Check if the field is a file upload field.
2409	*
2410	* @param array $field The field to check.
2411	* @return bool True if the field is a file upload field, false otherwise.
2412	*/
2413	public static function is_file_upload_field( $field ) {
2414	return ( is_array( $field ) &&
2415	! empty( $field ) &&
2416	isset( $field['field_id'] ) &&
2417	isset( $field['files'] ) &&
2418	is_array( $field['files'] ) );
2419	}
2420
2421	/**
2422	* Get the default label from type.
2423	*
2424	* @param string $type - the type of label.
2425	*
2426	* @return string
2427	*/
2428	public static function get_default_label_from_type( $type ) {
2429	switch ( $type ) {
2430	case 'text':
2431	$str = __( 'Text', 'jetpack-forms' );
2432	break;
2433	case 'name':
2434	$str = __( 'Name', 'jetpack-forms' );
2435	break;
2436	case 'number':
2437	$str = __( 'Number', 'jetpack-forms' );
2438	break;
2439	case 'email':
2440	$str = __( 'Email', 'jetpack-forms' );
2441	break;
2442	case 'url':
2443	$str = __( 'Website', 'jetpack-forms' );
2444	break;
2445	case 'date':
2446	$str = __( 'Date', 'jetpack-forms' );
2447	break;
2448	case 'telephone':
2449	$str = __( 'Phone', 'jetpack-forms' );
2450	break;
2451	case 'textarea':
2452	$str = __( 'Message', 'jetpack-forms' );
2453	break;
2454	case 'checkbox-multiple':
2455	$str = __( 'Choose several options', 'jetpack-forms' );
2456	break;
2457	case 'radio':
2458	$str = __( 'Choose one option', 'jetpack-forms' );
2459	break;
2460	case 'select':
2461	$str = __( 'Select one', 'jetpack-forms' );
2462	break;
2463	case 'consent':
2464	$str = __( 'Consent', 'jetpack-forms' );
2465	break;
2466	case 'file':
2467	$str = __( 'Upload a file', 'jetpack-forms' );
2468	break;
2469	case 'time':
2470	$str = __( 'Time', 'jetpack-forms' );
2471	break;
2472	case 'image-select':
2473	$str = __( 'Select an image', 'jetpack-forms' );
2474	break;
2475	default:
2476	$str = null;
2477	}
2478	return $str;
2479	}
2480
2481	/**
2482	* Loops through $this->fields to generate a (structured) list of field IDs.
2483	*
2484	* Important: Currently the allowed fields are defined as follows:
2485	* `name`, `email`, `url`, `subject`, `textarea`
2486	*
2487	* If you need to add new fields to the Contact Form, please don't add them
2488	* to the allowed fields and leave them as extra fields.
2489	*
2490	* The reasoning behind this is that both the admin Feedback view and the CSV
2491	* export will not include any fields that are added to the list of
2492	* allowed fields without taking proper care to add them to all the
2493	* other places where they accessed/used/saved.
2494	*
2495	* The safest way to add new fields is to add them to the dropdown and the
2496	* HTML list ( @see Contact_Form_Field::render ) and don't add them
2497	* to the list of allowed fields. This way they will become a part of the
2498	* `extra fields` which are saved in the post meta and will be properly
2499	* handled by the admin Feedback view and the CSV Export without any extra
2500	* work.
2501	*
2502	* If there is need to add a field to the allowed fields, then please
2503	* take proper care to add logic to handle the field in the following places:
2504	*
2505	* - Below in the switch statement - so the field is recognized as allowed.
2506	*
2507	* - Contact_Form::process_submission - validation and logic.
2508	*
2509	* - Contact_Form::process_submission - add the field as an additional
2510	* field in the `post_content` when saving the feedback content.
2511	*
2512	* - Contact_Form_Plugin::parse_fields_from_content - add mapping
2513	* for the field, defined in the above method.
2514	*
2515	* - Contact_Form_Plugin::map_parsed_field_contents_of_post_to_field_names -
2516	* add mapping of the field for the CSV Export. Otherwise it will be missing
2517	* from the exported data.
2518	*
2519	* - admin.php / grunion_manage_post_columns - add the field to the render logic.
2520	* Otherwise it will be missing from the admin Feedback view.
2521	*
2522	* @return array
2523	*/
2524	public function get_field_ids() {
2525	$field_ids = array(
2526	'all' => array(), // array of all field_ids.
2527	'extra' => array(), // array of all non-allowed field IDs.
2528
2529	// Allowed "standard" field IDs:
2530	// 'email' => field_id,
2531	// 'name' => field_id,
2532	// 'url' => field_id,
2533	// 'subject' => field_id,
2534	// 'textarea' => field_id,
2535	);
2536
2537	// Initialize marketing consent
2538	$field_ids['email_marketing_consent'] = null;
2539	$field_ids['email_marketing_consent_field'] = null;
2540
2541	foreach ( $this->fields as $id => $field ) {
2542	$type = $field->get_attribute( 'type' );
2543
2544	// If the field is not renderable, skip it.
2545	if ( ! $field->is_field_renderable( $type ) ) {
2546	continue;
2547	}
2548
2549	$field_ids['all'][] = $id;
2550
2551	if ( isset( $field_ids[ $type ] ) ) {
2552	// This type of field is already present in our allowed list of "standard" fields for this form
2553	// Put it in extra
2554	$field_ids['extra'][] = $id;
2555	continue;
2556	}
2557
2558	/**
2559	* See method description before modifying the switch cases.
2560	*/
2561	switch ( $type ) {
2562	case 'email':
2563	case 'name':
2564	case 'url':
2565	case 'subject':
2566	case 'textarea':
2567	$field_ids[ $type ] = $id;
2568	break;
2569	case 'consent':
2570	// Set email marketing consent for the first Consent type field
2571	if ( null === $field_ids['email_marketing_consent'] ) {
2572	$field_ids['email_marketing_consent_field'] = $id;
2573	if ( $field->value ) {
2574	$field_ids['email_marketing_consent'] = true;
2575	} else {
2576	$field_ids['email_marketing_consent'] = false;
2577	}
2578	}
2579	$field_ids['extra'][] = $id;
2580	break;
2581	default:
2582	// Put everything else in extra
2583	$field_ids['extra'][] = $id;
2584	}
2585	}
2586
2587	return $field_ids;
2588	}
2589
2590	/**
2591	* Process the contact form's POST submission
2592	* Stores feedback. Sends email.
2593	*/
2594	public function process_submission() {
2595
2596	$response = Feedback::from_submission( $_POST, $this ); // phpcs:Ignore WordPress.Security.NonceVerification.Missing
2597	$response->set_source( $this->get_source() );
2598	$plugin = Contact_Form_Plugin::init();
2599
2600	$id = $this->get_attribute( 'id' );
2601	$to = $this->get_attribute( 'to' );
2602	$widget = $this->get_attribute( 'widget' );
2603	$block_template = $this->get_attribute( 'block_template' );
2604	$block_template_part = $this->get_attribute( 'block_template_part' );
2605
2606	$contact_form_subject = $this->get_attribute( 'subject' );
2607
2608	$to = str_replace( ' ', '', $to );
2609	$emails = explode( ',', $to );
2610
2611	$valid_emails = array();
2612
2613	foreach ( $emails as $email ) {
2614	if ( ! is_email( $email ) ) {
2615	continue;
2616	}
2617
2618	if ( function_exists( 'is_email_address_unsafe' ) && is_email_address_unsafe( $email ) ) {
2619	continue;
2620	}
2621
2622	$valid_emails[] = $email;
2623	}
2624
2625	// No one to send it to, which means none of the "to" attributes are valid emails.
2626	// Use default email instead.
2627	if ( ! $valid_emails ) {
2628	$valid_emails = $this->defaults['to'];
2629	}
2630
2631	$to = $valid_emails;
2632
2633	// Last ditch effort to set a recipient if somehow none have been set.
2634	if ( empty( $to ) ) {
2635	$to = get_option( 'admin_email' );
2636	}
2637
2638	if ( ! $this->has_verified_jwt ) {
2639	// Make sure we're processing the form we think we're processing... probably a redundant check.
2640	if ( $widget ) {
2641	if ( isset( $_POST['contact-form-id'] ) && 'widget-' . $widget !== $_POST['contact-form-id'] ) { // phpcs:Ignore WordPress.Security.NonceVerification.Missing -- check done by caller process_form_submission()
2642	return Form_Submission_Error::system_error( 'form_id_mismatch_widget', __( 'Form ID mismatch.', 'jetpack-forms' ) );
2643	}
2644	} elseif ( $block_template ) {
2645	if ( isset( $_POST['contact-form-id'] ) && 'block-template-' . $block_template !== $_POST['contact-form-id'] ) { // phpcs:Ignore WordPress.Security.NonceVerification.Missing -- check done by caller process_form_submission()
2646	return Form_Submission_Error::system_error( 'form_id_mismatch_block_template', __( 'Form ID mismatch.', 'jetpack-forms' ) );
2647	}
2648	} elseif ( $block_template_part ) {
2649	if ( isset( $_POST['contact-form-id'] ) && 'block-template-part-' . $block_template_part !== $_POST['contact-form-id'] ) { // phpcs:Ignore WordPress.Security.NonceVerification.Missing -- check done by caller process_form_submission()
2650	return Form_Submission_Error::system_error( 'form_id_mismatch_block_template_part', __( 'Form ID mismatch.', 'jetpack-forms' ) );
2651	}
2652	} elseif ( isset( $_POST['contact-form-id'] ) && ( empty( $this->current_post ) \|\| self::get_post_property( $this->current_post, 'ID' ) !== (int) sanitize_text_field( wp_unslash( $_POST['contact-form-id'] ) ) ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- check done by caller process_form_submission()
2653	return Form_Submission_Error::system_error( 'form_id_mismatch_post', __( 'Form ID mismatch.', 'jetpack-forms' ) );
2654	}
2655	}
2656
2657	// Initialize all these "standard" fields to null
2658	$comment_author_email = $response->get_author_email();
2659	$comment_author = $response->get_author();
2660
2661	$contact_form_subject = $response->get_subject();
2662
2663	// Set marketing consent
2664	$email_marketing_consent = $response->has_consent();
2665
2666	if ( null === $email_marketing_consent ) {
2667	$email_marketing_consent = false;
2668	}
2669
2670	$all_values = $response->get_all_values( 'submit' );
2671	$extra_values = $response->get_legacy_extra_values( 'submit' );
2672
2673	if ( ! empty( $_REQUEST['is_block'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- not changing the site.
2674	$extra_values['is_block'] = true;
2675	}
2676
2677	$contact_form_subject = trim( $contact_form_subject );
2678
2679	$comment_author_ip = Contact_Form_Plugin::get_ip_address();
2680
2681	// Ensure that Akismet gets all of the relevant information from the contact form,
2682	// not just the textarea field and predetermined subject.
2683	$akismet_vars = $response->get_akismet_vars();
2684
2685	$spam = '';
2686	$akismet_values = $plugin->prepare_for_akismet( $akismet_vars );
2687
2688	// Is it spam?
2689	/** This filter is already documented in \Automattic\Jetpack\Forms\ContactForm\Admin */
2690	$is_spam = apply_filters( 'jetpack_contact_form_is_spam', false, $akismet_values );
2691	if ( is_wp_error( $is_spam ) ) { // WP_Error to abort
2692	return $is_spam; // abort
2693	} elseif ( $is_spam === true ) { // TRUE to flag a spam
2694	$spam = '*SPAM* ';
2695	}
2696
2697	/**
2698	* Filter whether a submitted contact form is in the comment disallowed list.
2699	*
2700	* @module contact-form
2701	*
2702	* @since 8.9.0
2703	*
2704	* @param bool $result Is the submitted feedback in the disallowed list.
2705	* @param array $akismet_values Feedack values returned by the Akismet plugin.
2706	*/
2707	$in_comment_disallowed_list = apply_filters( 'jetpack_contact_form_in_comment_disallowed_list', false, $akismet_values );
2708
2709	if ( ! $comment_author ) {
2710	$comment_author = $comment_author_email;
2711	}
2712
2713	/**
2714	* Filter the email where a submitted feedback is sent.
2715	*
2716	* @module contact-form
2717	*
2718	* @since 1.3.1
2719	*
2720	* @param string\|array $to Array of valid email addresses, or single email address.
2721	* @param array $all_values Contact form fields
2722	*/
2723	$to = (array) apply_filters( 'contact_form_to', $to, $all_values );
2724	$reply_to_addr = $to[0]; // get just the address part before the name part is added
2725
2726	foreach ( $to as $to_key => $to_value ) {
2727	$to[ $to_key ] = Contact_Form_Plugin::strip_tags( $to_value );
2728	$to[ $to_key ] = self::add_name_to_address( $to_value );
2729	}
2730
2731	// Get the site domain and get rid of www.
2732	$sitename = wp_parse_url( site_url(), PHP_URL_HOST );
2733	$from_email_addr = 'wordpress@';
2734
2735	if ( null !== $sitename ) {
2736	if ( str_starts_with( $sitename, 'www.' ) ) {
2737	$sitename = substr( $sitename, 4 );
2738	}
2739
2740	$from_email_addr .= $sitename;
2741	}
2742
2743	if ( ! empty( $comment_author_email ) ) {
2744	$reply_to_addr = $comment_author_email;
2745	}
2746
2747	/*
2748	* The email headers here are formatted in a format
2749	* that is the most likely to be accepted by wp_mail(),
2750	* without escaping.
2751	* More info: https://github.com/Automattic/jetpack/pull/19727
2752	*/
2753	$headers = 'From: ' . $comment_author . ' <' . $from_email_addr . ">\r\n" .
2754	'Reply-To: ' . $comment_author . ' <' . $reply_to_addr . ">\r\n";
2755
2756	/**
2757	* Allow customizing the email headers.
2758	*
2759	* Warning: DO NOT add headers or header data from the form submission without proper
2760	* escaping and validation, or you're liable to allow abusers to use your site to send spam.
2761	*
2762	* Especially DO NOT take email addresses from the form data to add as CC or BCC headers
2763	* without strictly validating each address against a list of allowed addresses.
2764	*
2765	* @module contact-form
2766	*
2767	* @since 10.2.0
2768	*
2769	* @param string\|array $headers Email headers.
2770	* @param string $comment_author Name of the author of the submitted feedback, if provided in form.
2771	* @param string $reply_to_addr Email of the author of the submitted feedback, if provided in form.
2772	* @param string\|array $to Array of valid email addresses, or single email address, where the form is sent.
2773	*/
2774	$headers = apply_filters(
2775	'jetpack_contact_form_email_headers',
2776	$headers,
2777	$comment_author,
2778	$reply_to_addr,
2779	$to
2780	);
2781
2782	$all_values['email_marketing_consent'] = $email_marketing_consent;
2783
2784	$entry_values = $response->get_entry_values();
2785
2786	/** This filter is already documented in \Automattic\Jetpack\Forms\ContactForm\Admin */
2787	$subject = apply_filters( 'contact_form_subject', $contact_form_subject, $all_values );
2788
2789	/*
2790	* Links to the feedback and the post.
2791	*/
2792	if ( $block_template \|\| $block_template_part \|\| $widget ) {
2793	$url = home_url( '/' );
2794	} else {
2795	$url = self::get_permalink( $this->current_post ? self::get_post_property( $this->current_post, 'ID' ) : 0 );
2796	}
2797
2798	// translators: the time of the form submission.
2799	$date_time_format = _x( '%1$s \a\t %2$s', '{$date_format} \a\t {$time_format}', 'jetpack-forms' );
2800	$date_time_format = sprintf( $date_time_format, get_option( 'date_format' ), get_option( 'time_format' ) );
2801	$time = wp_date( $date_time_format );
2802
2803	// Keep a copy of the feedback as a custom post type.
2804	if ( $in_comment_disallowed_list ) {
2805	$feedback_status = 'trash';
2806	} elseif ( $is_spam ) {
2807	$feedback_status = 'spam';
2808	} elseif ( 'no' === $this->get_attribute( 'saveResponses' ) ) {
2809	$feedback_status = 'jp-temp-feedback';
2810	} else {
2811	$feedback_status = 'publish';
2812	}
2813	$response->set_status( $feedback_status );
2814
2815	foreach ( (array) $akismet_values as $av_key => $av_value ) {
2816	$akismet_values[ $av_key ] = Contact_Form_Plugin::strip_tags( $av_value );
2817	}
2818
2819	foreach ( $all_values as $all_key => $all_value ) {
2820	$all_values[ $all_key ] = Contact_Form_Plugin::strip_tags( $all_value );
2821	}
2822
2823	foreach ( $extra_values as $ev_key => $ev_value ) {
2824	$extra_values[ $ev_key ] = Contact_Form_Plugin::strip_tags( $ev_value );
2825	}
2826
2827	/*
2828	* We need to make sure that the post author is always zero for contact
2829	* form submissions. This prevents export/import from trying to create
2830	* new users based on form submissions from people who were logged in
2831	* at the time.
2832	*
2833	* Unfortunately wp_insert_post() tries very hard to make sure the post
2834	* author gets the currently logged in user id. That is how we ended up
2835	* with this work around.
2836	*/
2837	add_filter( 'wp_insert_post_data', array( $plugin, 'insert_feedback_filter' ), 10, 2 );
2838
2839	/**
2840	* Allows site owners to not include IP addresses in the saved form response.
2841	*
2842	* The IP address is still used as part of spam filtering, if enabled, but it is removed when this filter
2843	* is set to true before saving to the database and e-mailing the form recipients.
2844
2845	* @module contact-form
2846	*
2847	* @param bool $remove_ip_address Should the IP address be removed. Default false.
2848	* @param string $ip_address IP address of the form submission.
2849	*
2850	* @since 0.33.0
2851	*/
2852	if ( apply_filters( 'jetpack_contact_form_forget_ip_address', false, $comment_author_ip ) ) {
2853	$comment_author_ip = null;
2854	}
2855
2856	$post_id = 0;
2857	$feedback_post = $response->save();
2858	if ( $feedback_post instanceof WP_Post ) {
2859	$post_id = $feedback_post->ID;
2860	}
2861
2862	// once insert has finished we don't need this filter any more
2863	remove_filter( 'wp_insert_post_data', array( $plugin, 'insert_feedback_filter' ), 10 );
2864
2865	update_post_meta( $post_id, '_feedback_extra_fields', $this->addslashes_deep( $extra_values ) );
2866
2867	if ( 'publish' === $feedback_status ) {
2868	Contact_Form_Plugin::recalculate_unread_count();
2869	}
2870
2871	if ( defined( 'AKISMET_VERSION' ) ) {
2872	update_post_meta( $post_id, '_feedback_akismet_values', $this->addslashes_deep( $akismet_values ) );
2873	}
2874
2875	/**
2876	* Fires after the feedback post for the contact form submission has been inserted.
2877	*
2878	* @module contact-form
2879	*
2880	* @since 8.6.0
2881	*
2882	* @param integer $post_id The post id that contains the contact form data.
2883	* @param array $this->fields An array containg the form's Contact_Form_Field objects.
2884	* @param boolean $is_spam Whether the form submission has been identified as spam.
2885	* @param array $entry_values The feedback entry values.
2886	*/
2887	do_action( 'grunion_after_feedback_post_inserted', $post_id, $this->fields, $is_spam, $entry_values );
2888
2889	// Build the complete email content via the renderer.
2890	$context_data = array(
2891	'time' => $time,
2892	'url' => $url,
2893	'comment_author' => $comment_author,
2894	'comment_author_email' => $comment_author_email,
2895	'comment_author_ip' => $comment_author_ip,
2896	'is_spam' => $is_spam,
2897	'feedback_status' => $feedback_status,
2898	);
2899	$email = Feedback_Email_Renderer::build_email_content( $post_id, $this, $response, $context_data );
2900	$message = $email['message'];
2901
2902	// Always store the rendered email for the resend endpoint.
2903	update_post_meta( $post_id, '_feedback_email', $this->addslashes_deep( compact( 'to', 'message' ) ) );
2904
2905	/**
2906	* Filter to choose whether an email should be sent after each successful contact form submission.
2907	* This filter takes precedence over the emailNotifications attribute.
2908	*
2909	* @module contact-form
2910	*
2911	* @since 2.6.0
2912	*
2913	* @param bool\|null $should_send Should an email be sent after a form submission.
2914	* - true: Send email regardless of emailNotifications setting
2915	* - false: Don't send email regardless of emailNotifications setting
2916	* - null: Use emailNotifications attribute to determine (default behavior)
2917	* @param int $post_id Post ID.
2918	*/
2919	$should_send_email = apply_filters( 'grunion_should_send_email', null, $post_id );
2920
2921	// Determine if email should be sent based on filter precedence.
2922	if ( $should_send_email === true ) {
2923	// Filter explicitly says to send email
2924	$send_email = true;
2925	} elseif ( $should_send_email === false ) {
2926	// Filter explicitly says not to send email
2927	$send_email = false;
2928	} else {
2929	// Filter is null (default), use emailNotifications attribute
2930	$send_email = ( $this->get_attribute( 'emailNotifications' ) !== 'no' );
2931	}
2932
2933	/**
2934	* Filter to determine if spam should still be emailed.
2935	*
2936	* @module contact-form
2937	*/
2938	$send_even_if_spam = apply_filters( 'grunion_still_email_spam', false );
2939
2940	// Only fire send-related side effects when we are actually going to send.
2941	$will_send = ( $is_spam !== true && $send_email ) \|\| ( true === $is_spam && $send_even_if_spam );
2942
2943	if ( $will_send ) {
2944	/**
2945	* Fires right before the contact form message is sent via email to
2946	* the recipient specified in the contact form.
2947	*
2948	* @module contact-form
2949	*
2950	* @since 1.3.1
2951	*
2952	* @param integer $post_id Post contact form lives on
2953	* @param array $all_values Contact form fields
2954	* @param array $extra_values Contact form fields not included in $all_values
2955	*/
2956	do_action( 'grunion_pre_message_sent', $post_id, $all_values, $extra_values );
2957
2958	self::wp_mail( $to, "{$spam}{$subject}", $message, $headers );
2959	}
2960
2961	// Schedule deletes of old spam feedbacks.
2962	if ( ! wp_next_scheduled( 'grunion_scheduled_delete' ) ) {
2963	wp_schedule_event( time() + 250, 'daily', 'grunion_scheduled_delete' );
2964	}
2965
2966	// Schedule deletes of old temp feedbacks.
2967	if ( ! wp_next_scheduled( 'grunion_scheduled_delete_temp' ) ) {
2968	wp_schedule_event( time() + 250, 'daily', 'grunion_scheduled_delete_temp' );
2969	}
2970
2971	/**
2972	* Fires an action hook right after the email(s) have been sent.
2973	*
2974	* @module contact-form
2975	*
2976	* @since 7.3.0
2977	*
2978	* @param int $post_id Post contact form lives on.
2979	* @param string\|array $to Array of valid email addresses, or single email address.
2980	* @param string $subject Feedback email subject.
2981	* @param string $message Feedback email message.
2982	* @param string\|array $headers Optional. Additional headers.
2983	* @param array $all_values Contact form fields.
2984	* @param array $extra_values Contact form fields not included in $all_values
2985	*/
2986	do_action( 'grunion_after_message_sent', $post_id, $to, $subject, $message, $headers, $all_values, $extra_values );
2987
2988	$refresh_args = array(
2989	'contact-form-id' => $id,
2990	'contact-form-sent' => $post_id,
2991	'contact-form-hash' => $this->hash,
2992	'_wpnonce' => wp_create_nonce( "contact-form-sent-{$post_id}" ), // wp_nonce_url HTMLencodes :( .
2993	);
2994
2995	// If the request accepts JSON, return a JSON response instead of redirecting
2996	$accepts_json = isset( $_SERVER['HTTP_ACCEPT'] ) && false !== strpos( strtolower( sanitize_text_field( wp_unslash( $_SERVER['HTTP_ACCEPT'] ) ) ), 'application/json' );
2997
2998	if ( $this->is_response_without_reload_enabled && $accepts_json ) {
2999	$data = array();
3000	if ( $response instanceof Feedback ) {
3001	$data = $response->get_compiled_fields( 'ajax', 'collection' );
3002	}
3003	wp_send_json(
3004	array(
3005	'success' => true,
3006	'data' => $data,
3007	'refreshArgs' => $refresh_args,
3008	),
3009	null, // @phan-suppress-current-line PhanTypeMismatchArgumentProbablyReal -- It takes null, but its phpdoc only says int.
3010	JSON_UNESCAPED_SLASHES
3011	);
3012	}
3013
3014	if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
3015	return self::success_message( $post_id, $this );
3016	}
3017
3018	$redirect = $this->get_redirect_url( $refresh_args, $id, $post_id );
3019
3020	// phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect -- We intentially allow external redirects here.
3021	wp_redirect( $redirect );
3022	exit( 0 );
3023	}
3024
3025	/**
3026	* Check if the contact form has a custom redirect.
3027	*
3028	* @return bool True if the contact form has a custom redirect, false otherwise.
3029	*/
3030	public function has_custom_redirect() {
3031	$confirmation_type = $this->get_confirmation_type();
3032
3033	if ( ! empty( $this->get_attribute( 'customThankyouRedirect' ) ) && 'redirect' === $confirmation_type ) {
3034	return true;
3035	}
3036	/**
3037	* Filter to check if the contact form has a redirect filter.
3038	*
3039	* @module contact-form
3040	*
3041	* @since 1.9.0
3042	*
3043	* @param bool $has_redirect True if the contact form has a redirect filter, false otherwise.
3044	*/
3045	return (bool) has_filter( 'grunion_contact_form_redirect_url' );
3046	}
3047
3048	/**
3049	* Get the URL where the reader is redirected after submitting a form.
3050	*
3051	* @param array $refresh_args The arguments to be added to the redirect URL.
3052	* @param int $id Contact Form ID.
3053	* @param int $post_id Post ID.
3054	*
3055	* @return string The redirect URL.
3056	*/
3057	public function get_redirect_url( $refresh_args, $id, $post_id ) {
3058	$confirmation_type = $this->get_confirmation_type();
3059	$redirect = '';
3060	$custom_redirect = false;
3061
3062	if ( 'redirect' === $confirmation_type ) {
3063	$custom_redirect = true;
3064	$redirect = esc_url_raw( $this->get_attribute( 'customThankyouRedirect' ) );
3065	}
3066
3067	if ( ! $redirect ) {
3068	$custom_redirect = false;
3069	$redirect = wp_get_referer();
3070	}
3071
3072	if ( ! $redirect ) { // wp_get_referer() returns false if the referer is the same as the current page.
3073	$custom_redirect = false;
3074	$redirect = isset( $_SERVER['REQUEST_URI'] ) ? esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
3075	}
3076
3077	if ( ! $custom_redirect ) {
3078	$redirect = add_query_arg(
3079	urlencode_deep( $refresh_args ),
3080	$redirect
3081	);
3082	}
3083
3084	/**
3085	* Filter the URL where the reader is redirected after submitting a form.
3086	*
3087	* @module contact-form
3088	*
3089	* @since 1.9.0
3090	*
3091	* @param string $redirect Post submission URL.
3092	* @param int $id Contact Form ID.
3093	* @param int $post_id Post ID.
3094	*/
3095	return apply_filters( 'grunion_contact_form_redirect_url', $redirect, $id, $post_id );
3096	}
3097
3098	/**
3099	* Get the permalink for the post ID that include the page query parameter if it was set.
3100	*
3101	* @param int $post_id The post ID.
3102	*
3103	* return string The permalink for the post ID.
3104	*/
3105	public static function get_permalink( $post_id ) {
3106	$url = get_permalink( $post_id );
3107	$page = isset( $_POST['page'] ) ? absint( wp_unslash( $_POST['page'] ) ) : null; // phpcs:Ignore WordPress.Security.NonceVerification.Missing
3108	if ( $page ) {
3109	return add_query_arg( 'page', $page, $url );
3110	}
3111	return $url;
3112	}
3113
3114	/**
3115	* Wrapper for wp_mail() that enables HTML messages with text alternatives
3116	*
3117	* @param string\|array $to Array or comma-separated list of email addresses to send message.
3118	* @param string $subject Email subject.
3119	* @param string $message Message contents.
3120	* @param string\|array $headers Optional. Additional headers.
3121	* @param string\|array $attachments Optional. Files to attach.
3122	*
3123	* @return bool Whether the email contents were sent successfully.
3124	*/
3125	public static function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() ) {
3126	return Feedback_Email_Renderer::wp_mail( $to, $subject, $message, $headers, $attachments );
3127	}
3128
3129	/**
3130	* Add a display name part to an email address
3131	*
3132	* SpamAssassin doesn't like addresses in HTML messages that are missing display names (e.g., `foo@bar.org`
3133	* instead of `Foo Bar <foo@bar.org>`.
3134	*
3135	* @param string $address - the email address.
3136	*
3137	* @return string
3138	*/
3139	public function add_name_to_address( $address ) {
3140	// If it's just the address, without a display name
3141	if ( is_email( $address ) ) {
3142	$address_parts = explode( '@', $address );
3143
3144	/*
3145	* The email address format here is formatted in a format
3146	* that is the most likely to be accepted by wp_mail(),
3147	* without escaping.
3148	* More info: https://github.com/Automattic/jetpack/pull/19727
3149	*/
3150	$address = sprintf( '%s <%s>', $address_parts[0], $address );
3151	}
3152
3153	return $address;
3154	}
3155
3156	/**
3157	* Get the content type that should be assigned to outbound emails
3158	*
3159	* @return string
3160	*/
3161	public static function get_mail_content_type() {
3162	return Feedback_Email_Renderer::get_mail_content_type();
3163	}
3164
3165	/**
3166	* Wrap a message body with the appropriate in HTML tags
3167	*
3168	* This helps to ensure correct parsing by clients, and also helps avoid triggering spam filtering rules
3169	*
3170	* @param string $title - title of the email.
3171	* @param string $body - the message body.
3172	* @param string $footer - the footer containing meta information.
3173	* @param string $actions - HTML for actions displayed in the email.
3174	* @param array $respondent_info - Optional. Respondent information array with 'name', 'email', 'avatar'.
3175	* @param array $metadata - Optional. Metadata array with 'date', 'source', 'source_url', 'device', 'ip', 'ip_flag'.
3176	*
3177	* @return string
3178	*/
3179	public static function wrap_message_in_html_tags( $title, $body, $footer, $actions = '', $respondent_info = array(), $metadata = array() ) {
3180	return Feedback_Email_Renderer::wrap_message_in_html_tags( $title, $body, $footer, $actions, $respondent_info, $metadata );
3181	}
3182
3183	/**
3184	* Add a plain-text alternative part to an outbound email
3185	*
3186	* This makes the message more accessible to mail clients that aren't HTML-aware, and decreases the likelihood
3187	* that the message will be flagged as spam.
3188	*
3189	* @param PHPMailer $phpmailer - the phpmailer.
3190	*/
3191	public static function add_plain_text_alternative( $phpmailer ) {
3192	Feedback_Email_Renderer::add_plain_text_alternative( $phpmailer );
3193	}
3194
3195	/**
3196	* Add deepslashes.
3197	*
3198	* @param array $value - the value.
3199	* @return array The value, with slashes added.
3200	*/
3201	public function addslashes_deep( $value ) {
3202	if ( is_array( $value ) ) {
3203	return array_map( array( $this, 'addslashes_deep' ), $value );
3204	} elseif ( is_object( $value ) ) {
3205	$vars = get_object_vars( $value );
3206	foreach ( $vars as $key => $data ) {
3207	$value->{$key} = $this->addslashes_deep( $data );
3208	}
3209	return (array) $value;
3210	}
3211
3212	return addslashes( $value );
3213	}
3214
3215	/**
3216	* Get the block's classes.
3217	* This gathers both the alignment classes and the layout classes,
3218	* which go on the outermost div.
3219	*
3220	* @param array $attributes Block attributes.
3221	* @param array $extra_container_classes Extra container classes.
3222	* @return string The block's classes.
3223	*/
3224	public static function get_block_container_classes( $attributes = array(), $extra_container_classes = array() ) {
3225	// using wp-block-jetpack-contact-form-container here
3226	// confuses the layout support process, making it place the CSS classes on the container
3227	// instead of the actual block.
3228	$classes = array( 'jetpack-contact-form-container' );
3229
3230	$classes = array_merge( $classes, $extra_container_classes );
3231
3232	if ( isset( $attributes['variationName'] ) && $attributes['variationName'] === 'multistep' ) {
3233	$classes[] = 'is-multistep';
3234	}
3235
3236	$classes[] = self::get_block_alignment_class( $attributes );
3237
3238	return implode( ' ', $classes );
3239	}
3240
3241	/**
3242	* Rough implementation of Gutenberg's align-attribute-to-css-class map.
3243	* Only allowin "wide" and "full" as "center", "left" and "right" don't
3244	* make much sense for the form.
3245	*
3246	* @param array $attributes Block attributes.
3247	* @return string The CSS alignment class: alignfull \| alignwide.
3248	*/
3249	public static function get_block_alignment_class( $attributes = array() ) {
3250	$align_to_class_map = array(
3251	'wide' => 'alignwide',
3252	'full' => 'alignfull',
3253	);
3254	if ( empty( $attributes['align'] ) \|\| ! array_key_exists( $attributes['align'], $align_to_class_map ) ) {
3255	return '';
3256	}
3257	return $align_to_class_map[ $attributes['align'] ];
3258	}
3259
3260	/**
3261	* Process a file upload field.
3262	*
3263	* @param string $field_id The field ID.
3264	* @param object $field The field object.
3265	*
3266	* @return array A structured array with field_id and files array.
3267	*/
3268	public function process_file_upload_field( $field_id, $field ) {
3269	$field_id = sanitize_key( $field_id );
3270
3271	$raw_data = array();
3272	// phpcs:ignore WordPress.Security.NonceVerification.Missing
3273	if ( isset( $_POST[ $field_id ] ) ) {
3274
3275	// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing
3276	$raw_post_data = wp_unslash( $_POST[ $field_id ] );
3277	if ( is_array( $raw_post_data ) ) {
3278	$raw_data = array_map( 'sanitize_text_field', $raw_post_data );
3279	}
3280	}
3281
3282	$file_data_array = is_array( $raw_data )
3283	? array_map(
3284	function ( $json_str ) {
3285	$decoded = json_decode( $json_str, true );
3286	return array(
3287	'file_id' => isset( $decoded['file_id'] ) ? sanitize_text_field( $decoded['file_id'] ) : '',
3288	'name' => isset( $decoded['name'] ) ? sanitize_text_field( $decoded['name'] ) : '',
3289	'size' => isset( $decoded['size'] ) ? absint( $decoded['size'] ) : 0,
3290	'type' => isset( $decoded['type'] ) ? sanitize_text_field( $decoded['type'] ) : '',
3291	);
3292	},
3293	$raw_data
3294	) : array();
3295
3296	if ( empty( $file_data_array ) ) {
3297	$field->add_error( __( 'Failed to upload file.', 'jetpack-forms' ) );
3298	return array(
3299	'field_id' => $field_id,
3300	'files' => array(),
3301	);
3302	}
3303
3304	return array(
3305	'field_id' => $field_id,
3306	'files' => $file_data_array,
3307	);
3308	}
3309
3310	/**
3311	* Ensures a value is formatted as a string, taking into account file upload fields.
3312	*
3313	* @param mixed $value The value to transform.
3314	* @return mixed The transformed value.
3315	*/
3316	private static function maybe_transform_value( $value ) {
3317	if ( is_array( $value ) && isset( $value['type'] ) && $value['type'] === 'image-select' ) {
3318	return implode(
3319	', ',
3320	array_map(
3321	function ( $choice ) {
3322	$value = $choice['perceived'];
3323
3324	if ( $choice['showLabels'] && ! empty( $choice['label'] ) ) {
3325	$value .= ' - ' . $choice['label'];
3326	}
3327
3328	return $value;
3329	},
3330	$value['choices']
3331	)
3332	);
3333	}
3334
3335	// For URL fields, extract the display text value (original user input without auto-added protocol).
3336	if ( is_array( $value ) && isset( $value['type'] ) && $value['type'] === 'url' ) {
3337	// Prefer displayValue (raw input) over url (which may have https:// prepended).
3338	return isset( $value['displayValue'] ) ? $value['displayValue'] : ( isset( $value['url'] ) ? $value['url'] : '' );
3339	}
3340
3341	// For rating fields, return the displayValue (e.g., "3/5") for text fallback.
3342	if ( is_array( $value ) && isset( $value['type'] ) && $value['type'] === 'rating' ) {
3343	return isset( $value['displayValue'] ) ? $value['displayValue'] : '';
3344	}
3345
3346	// For file upload fields, we want to show the file name and size
3347	if ( is_array( $value ) && isset( $value['name'] ) && isset( $value['size'] ) ) {
3348	$file_name = $value['name'];
3349	$file_size = $value['size'];
3350	return empty( $file_size ) ? $file_name : $file_name . ' (' . $file_size . ')';
3351	}
3352
3353	return $value;
3354	}
3355
3356	/**
3357	* Helper method to get the images from an image select field.
3358	*
3359	* Returns an array of image choice objects, each containing:
3360	* - src: The image URL
3361	* - letterCode: The letter code (e.g., 'A', 'B', 'C')
3362	* - label: The choice label text (empty string if showLabels is false)
3363	*
3364	* @param array $value The value to get the images from.
3365	* @return array\|null The images with metadata, or null if not an image-select field.
3366	*/
3367	private static function get_images( $value ) {
3368	if ( is_array( $value ) && isset( $value['type'] ) && $value['type'] === 'image-select' ) {
3369	return array_map(
3370	function ( $choice ) {
3371	$letter_code = $choice['perceived'] ?? '';
3372	$label = '';
3373
3374	if ( ! empty( $choice['showLabels'] ) && ! empty( $choice['label'] ) ) {
3375	$label = $choice['label'];
3376	}
3377
3378	return array(
3379	'src' => $choice['image']['src'] ?? '',
3380	'letterCode' => $letter_code,
3381	'label' => $label,
3382	);
3383	},
3384	$value['choices']
3385	);
3386	}
3387
3388	return null;
3389	}
3390
3391	/**
3392	* Get files from a file field value if present.
3393	*
3394	* @param mixed $value The field value.
3395	*
3396	* @return array\|null Array of file data if this is a file field, null otherwise.
3397	*/
3398	private static function get_files( $value ) {
3399	if ( is_array( $value ) && isset( $value['type'] ) && $value['type'] === 'file' && ! empty( $value['files'] ) ) {
3400	return array_map(
3401	function ( $file ) {
3402	$preview_url = $file['previewUrl'] ?? null;
3403	$icon_url = $file['iconUrl'] ?? null;
3404	$has_preview = ! empty( $preview_url ) \|\| ! empty( $icon_url );
3405
3406	return array(
3407	'name' => $file['name'] ?? __( 'Attached file', 'jetpack-forms' ),
3408	'size' => $file['size'] ?? '',
3409	'url' => $file['url'] ?? '',
3410	// Preview URLs are captured from the DOM for AJAX submissions
3411	'previewUrl' => $preview_url,
3412	'iconUrl' => $icon_url,
3413	// Boolean flag for easier binding evaluation
3414	'hasPreview' => $has_preview,
3415	);
3416	},
3417	$value['files']
3418	);
3419	}
3420
3421	return null;
3422	}
3423
3424	/**
3425	* Helper method to format a raw label string for display, including kses sanitization.
3426	*
3427	* @param string\|null $raw_label The raw label input.
3428	* @return string The formatted and kses'd label string, or an empty string if raw_label is empty.
3429	*/
3430	public static function escape_and_sanitize_field_label( $raw_label ) {
3431	if ( empty( $raw_label ) ) {
3432	return ''; // kses the empty string
3433	}
3434	return wp_kses( (string) $raw_label, array() );
3435	}
3436
3437	/**
3438	* Enforce required block supports UIs for Classic themes.
3439	*
3440	* @param \WP_Theme_JSON_Data $theme_json_data Theme JSON data object.
3441	*
3442	* @return \WP_Theme_JSON_Data Updated theme JSON settings.
3443	*/
3444	public static function add_theme_json_data_for_classic_themes( $theme_json_data ) {
3445	if ( wp_is_block_theme() ) {
3446	return $theme_json_data;
3447	}
3448
3449	$data = $theme_json_data->get_data();
3450
3451	if ( ! isset( $data['settings']['blocks'] ) ) {
3452	$data['settings']['blocks'] = array();
3453	}
3454
3455	$data['settings']['blocks']['jetpack/input'] = array(
3456	'color' => array(
3457	'text' => true,
3458	'background' => false,
3459	),
3460	'border' => array(
3461	'color' => true,
3462	'radius' => true,
3463	'style' => true,
3464	'width' => true,
3465	),
3466	'typography' => array(
3467	'fontFamily' => true,
3468	'fontSize' => true,
3469	'fontStyle' => true,
3470	'fontWeight' => true,
3471	'letterSpacing' => true,
3472	'lineHeight' => true,
3473	'textDecoration' => true,
3474	'textTransform' => true,
3475	),
3476	);
3477
3478	// maybe need to add support for jetpack/phone-input
3479
3480	$data['settings']['blocks']['jetpack/options'] = array(
3481	'color' => array(
3482	'text' => true,
3483	'background' => true,
3484	),
3485	'border' => array(
3486	'color' => true,
3487	'radius' => true,
3488	'style' => true,
3489	'width' => true,
3490	),
3491	);
3492
3493	$shared_settings = array(
3494	'color' => array(
3495	'text' => true,
3496	'background' => false,
3497	),
3498	'typography' => array(
3499	'fontFamily' => true,
3500	'fontSize' => true,
3501	'fontStyle' => true,
3502	'fontWeight' => true,
3503	'letterSpacing' => true,
3504	'lineHeight' => true,
3505	'textDecoration' => true,
3506	'textTransform' => true,
3507	),
3508	);
3509	$data['settings']['blocks']['jetpack/label'] = $shared_settings;
3510	$data['settings']['blocks']['jetpack/option'] = $shared_settings;
3511
3512	$theme_json_class = get_class( $theme_json_data );
3513	return new $theme_json_class( $data, 'default' );
3514	}
3515
3516	/**
3517	* Validate the contact form fields.
3518	*
3519	* This method checks each field for errors and ensures that at least one field has a value.
3520	* If no fields have values and there are no errors, it adds an error indicating that the form is empty.
3521	*/
3522	public function validate() {
3523	$has_value = false;
3524	// Validate the form fields before processing the form.
3525	foreach ( $this->fields as $field ) {
3526	$field->validate();
3527	if ( ! $has_value && $field->has_value() ) {
3528	$has_value = true;
3529	}
3530	}
3531
3532	if ( ! $has_value && ! $this->has_errors() ) {
3533	$this->add_error( 'empty', __( 'Please fill out at least one field.', 'jetpack-forms' ) );
3534	}
3535
3536	$ref_id = $this->get_attribute( 'ref' );
3537	if ( ! empty( $ref_id ) ) {
3538	$this->validate_ref( $ref_id );
3539	}
3540	}
3541
3542	/**
3543	* Validate the form reference.
3544	*
3545	* @param int $ref The form reference ID.
3546	*/
3547	public function validate_ref( $ref ) {
3548	$form_post = get_post( $ref );
3549	if ( ! $form_post \|\| self::POST_TYPE !== $form_post->post_type ) {
3550	$this->add_error( 'invalid_ref', __( 'Invalid form reference.', 'jetpack-forms' ) );
3551	return;
3552	}
3553	if ( $form_post->post_status !== 'publish' ) {
3554	$this->add_error( 'unpublished_form', __( 'Invalid form reference.', 'jetpack-forms' ) );
3555	return;
3556	}
3557	}
3558
3559	/**
3560	* Reset the static errors for the contact form.
3561	*
3562	* @param string $id The ID of the contact form to reset errors for. If null, resets all static errors.
3563	*
3564	* This method is used to clear the static errors stored in the class.
3565	*/
3566	public static function reset_errors( $id = null ) {
3567	if ( $id && isset( self::$static_errors[ $id ] ) ) {
3568	unset( self::$static_errors[ $id ] );
3569	return;
3570	}
3571	self::$static_errors = array();
3572	}
3573
3574	/**
3575	* Add an error to the contact form.
3576	*
3577	* @param string $error_code The error code.
3578	* @param string $error_message The error message.
3579	*/
3580	public function add_error( $error_code, $error_message ) {
3581	$id = $this->get_attribute( 'id' );
3582	if ( ! isset( self::$static_errors[ $id ] ) ) {
3583	self::$static_errors[ $id ] = Form_Submission_Error::validation_error( $error_code, $error_message );
3584	} else {
3585	// If we already have errors, add this error to the existing Form_Submission_Error
3586	self::$static_errors[ $id ]->add( $error_code, $error_message );
3587	}
3588	$this->errors = self::$static_errors[ $id ];
3589	}
3590	/**
3591	* Check if the contact form has errors.
3592	*
3593	* @return bool True if the contact form has errors, false otherwise.
3594	*/
3595	public function has_errors() {
3596	$id = $this->get_attribute( 'id' );
3597	if ( ! isset( self::$static_errors[ $id ] ) ) {
3598	return false;
3599	}
3600	return is_wp_error( self::$static_errors[ $id ] ) && ! empty( self::$static_errors[ $id ]->get_error_codes() );
3601	}
3602
3603	/**
3604	* Get the error messages of the contact form.
3605	*
3606	* @return array The errors of the contact form.
3607	*/
3608	public function get_error_messages() {
3609	if ( ! $this->has_errors() ) {
3610	return array();
3611	}
3612	$id = $this->get_attribute( 'id' );
3613	return self::$static_errors[ $id ]->get_error_messages();
3614	}
3615
3616	/**
3617	* Get the confirmation type of the contact form from the deprecated customThankyou attribute.
3618	*
3619	* @return string The confirmation type of the contact form.
3620	*/
3621	public function get_confirmation_type() {
3622	// Backward compat: customThankyou 'redirect' takes precedence for old forms
3623	if ( 'redirect' === $this->get_attribute( 'customThankyou' ) ) {
3624	return 'redirect';
3625	}
3626
3627	return $this->get_attribute( 'confirmationType' );
3628	}
3629
3630	/**
3631	* Get the disable summary of the contact form from the deprecated customThankyou attribute.
3632	*
3633	* @return string The disable summary of the contact form.
3634	*/
3635	public function get_disable_summary() {
3636	$disable_summary = $this->get_attribute( 'disableSummary' );
3637	$custom_thankyou = $this->get_attribute( 'customThankyou' );
3638
3639	if ( '' === $disable_summary ) {
3640	$disable_summary = 'noSummary' === $custom_thankyou \|\| 'message' === $custom_thankyou;
3641	}
3642
3643	return $disable_summary;
3644	}
3645	}