Code Coverage for projects/packages/stats/src/class-tracking-pixel.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	93.66% covered (success)	93.66%	133 / 142	54.55% covered (warning)	54.55%	6 / 11	CRAP	0.00% covered (danger)	0.00%	0 / 1
Tracking_Pixel	93.66% covered (success)	93.66%	133 / 142	54.55% covered (warning)	54.55%	6 / 11	61.95	0.00% covered (danger)	0.00%	0 / 1
build_view_data	100.00% covered (success)	100.00%	50 / 50	100.00% covered (success)	100.00%	1 / 1	22
build_search_filters	95.45% covered (success)	95.45%	21 / 22	0.00% covered (danger)	0.00%	0 / 1	11
build_stats_details	100.00% covered (success)	100.00%	8 / 8	100.00% covered (success)	100.00%	1 / 1	1
add_low_fetchpriority	100.00% covered (success)	100.00%	3 / 3	100.00% covered (success)	100.00%	1 / 1	3
remove_stats_dns_prefetch	94.44% covered (success)	94.44%	17 / 18	0.00% covered (danger)	0.00%	0 / 1	9.01
enqueue_stats_script	95.45% covered (success)	95.45%	21 / 22	0.00% covered (danger)	0.00%	0 / 1	2
get_amp_footer	100.00% covered (success)	100.00%	7 / 7	100.00% covered (success)	100.00%	1 / 1	2
add_amp_pixel	0.00% covered (danger)	0.00%	0 / 5	0.00% covered (danger)	0.00%	0 / 1	6
add_to_footer		n/a	0 / 0		n/a	0 / 0	1
get_footer_to_add		n/a	0 / 0		n/a	0 / 0	1
render_footer		n/a	0 / 0		n/a	0 / 0	1
render_amp_footer	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
stats_array_to_string	100.00% covered (success)	100.00%	3 / 3	100.00% covered (success)	100.00%	1 / 1	1
is_amp_request	100.00% covered (success)	100.00%	3 / 3	100.00% covered (success)	100.00%	1 / 1	4

1	<?php
2	/**
3	* Stats Tracking_Pixel
4	*
5	* @package automattic/jetpack-stats
6	*/
7
8	namespace Automattic\Jetpack\Stats;
9
10	use Jetpack_Options;
11	use WP_Post;
12
13	/**
14	* Stats Tracking_Pixel class.
15	*
16	* Responsible for embedding the Stats tracking pixel.
17	*
18	* @since 0.1.0
19	*/
20	class Tracking_Pixel {
21
22	/**
23	* Array name.
24	*
25	* @var string $array_name The 'stats' array name
26	*/
27	const STATS_ARRAY_TO_STRING_FILTER = 'stats_array';
28
29	const TRACKED_UTM_PARAMETERS = array(
30	'utm_id',
31	'utm_source',
32	'utm_medium',
33	'utm_campaign',
34	'utm_term',
35	'utm_content',
36	'utm_source_platform',
37	'utm_creative_format',
38	'utm_marketing_tactic',
39	);
40
41	/**
42	* Stats Build View Data.
43	*
44	* @access public
45	* @return array
46	*/
47	public static function build_view_data() {
48	global $wp_the_query;
49
50	$blog = Jetpack_Options::get_option( 'id' );
51	$tz = get_option( 'gmt_offset' );
52	$v = 'ext';
53	$blog_url = wp_parse_url( site_url() );
54	$srv = $blog_url['host'];
55	$is_not_post = false;
56	if ( $wp_the_query->is_single \|\| $wp_the_query->is_page \|\| $wp_the_query->is_posts_page ) {
57	// Store and reset the queried_object and queried_object_id
58	// Otherwise, redirect_canonical() will redirect to home_url( '/' ) for show_on_front = page sites where home_url() is not all lowercase.
59	// Repro:
60	// 1. Set home_url = https://ExamPle.com/
61	// 2. Set show_on_front = page
62	// 3. Set page_on_front = something
63	// 4. Visit https://example.com/ !
64	$queried_object = $wp_the_query->queried_object ?? null;
65	$queried_object_id = $wp_the_query->queried_object_id ?? null;
66	try {
67	$post_obj = $wp_the_query->get_queried_object();
68	$post = $post_obj instanceof WP_Post ? $post_obj->ID : '0';
69	} finally {
70	$wp_the_query->queried_object = $queried_object;
71	$wp_the_query->queried_object_id = $queried_object_id;
72	}
73	} else {
74	$post = '0';
75	$is_not_post = true;
76	}
77	$view_data = compact( 'v', 'blog', 'post', 'tz', 'srv' );
78	// Batcache removes some of the UTM params from $_GET, we need to extract them from uri directly instead.
79	// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- We're sanitizing individual params in the loop.
80	$url_query = wp_parse_url( wp_unslash( $_SERVER['REQUEST_URI'] ?? '' ), PHP_URL_QUERY );
81	parse_str( (string) $url_query, $url_params );
82	foreach ( self::TRACKED_UTM_PARAMETERS as $utm_parameter ) {
83	// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- UTMs are standardized parameters coming from outside WordPress, adding nonce is not possible
84	if ( isset( $url_params[ $utm_parameter ] ) && is_scalar( $url_params[ $utm_parameter ] ) ) {
85	// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- UTMs are standardized parameters coming from outside WordPress, adding nonce is not possible
86	$view_data[ $utm_parameter ] = substr( sanitize_textarea_field( wp_unslash( $url_params[ $utm_parameter ] ) ), 0, 255 );
87	}
88	}
89
90	if ( $is_not_post ) {
91	if ( $wp_the_query->is_home() ) {
92	$view_data['arch_home'] = '1';
93	} elseif ( $wp_the_query->is_search() ) {
94	$search_term = $wp_the_query->query['s'] ?? $wp_the_query->query_vars['s'] ?? '';
95	$view_data['arch_search'] = sanitize_text_field( $search_term );
96	$view_data['arch_filters'] = sanitize_text_field( self::build_search_filters( $wp_the_query ) );
97	$view_data['arch_results'] = $wp_the_query->posts ? $wp_the_query->post_count : 0;
98	} elseif ( $wp_the_query->is_archive() ) {
99	if ( $wp_the_query->is_date ) {
100	$query = $wp_the_query->query;
101	$date_parts = array_filter( array( $query['year'] ?? null, $query['monthnum'] ?? null, $query['day'] ?? null ) );
102	$date = implode( '/', $date_parts );
103	$view_data['arch_date'] = $date;
104	}
105	if ( $wp_the_query->is_category ) {
106	$view_data['arch_cat'] = $wp_the_query->query['category_name'] ?? $wp_the_query->query_vars['category_name'] ?? '';
107	}
108	if ( $wp_the_query->is_tag ) {
109	$view_data['arch_tag'] = $wp_the_query->query['tag'] ?? $wp_the_query->query_vars['tag'] ?? '';
110	}
111	if ( $wp_the_query->is_author ) {
112	$view_data['arch_author'] = $wp_the_query->query['author_name'] ?? '';
113	}
114	if ( $wp_the_query->is_tax ) {
115	$query = $wp_the_query->query;
116	if ( is_array( $query ) && count( $query ) === 1 ) {
117	$view_data[ 'arch_tax_' . array_keys( $query )[0] ] = array_values( $query )[0];
118	}
119	}
120	$view_data['arch_results'] = $wp_the_query->posts ? $wp_the_query->post_count : 0;
121	} elseif ( $wp_the_query->is_404() ) {
122	$view_data['arch_err'] = sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ?? '' ) );
123	} else {
124	$view_data['arch_other'] = sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ?? '' ) );
125	}
126	}
127	return $view_data;
128	}
129
130	/**
131	* Collect the tracking data for a search page.
132	*
133	* @access private
134	* @param \WP_Query $query The WP_Query object to parse all the filters from.
135	* @return string The search filters in a URL query string format.
136	*/
137	private static function build_search_filters( $query ) {
138	$data = array(
139	'posts_per_page' => $query->get( 'posts_per_page' ),
140	'paged' => ( $query->get( 'paged' ) ) ? absint( $query->get( 'paged' ) ) : 1,
141	'orderby' => $query->get( 'orderby' ),
142	'order' => $query->get( 'order' ),
143	);
144
145	if ( $query->get( 'author_name' ) ) {
146	$data['author_name'] = $query->get( 'author_name' );
147	}
148	$filters = http_build_query( $data );
149
150	$the_tax_query = $query->tax_query;
151	$terms = array();
152	if ( ! empty( $the_tax_query->queried_terms ) && is_array( $the_tax_query->queried_terms ) ) {
153	foreach ( $the_tax_query->queries as $tax_query ) {
154	if ( ! is_array( $tax_query ) \|\| ! isset( $tax_query['taxonomy'] ) ) {
155	continue;
156	}
157	$taxonomy = $tax_query['taxonomy'];
158	if ( ! isset( $terms[ $taxonomy ] ) \|\| ! is_array( $terms[ $taxonomy ] ) ) {
159	$terms[ $taxonomy ] = array();
160	}
161	$terms[ $taxonomy ] = array_merge( $terms[ $taxonomy ], $tax_query['terms'] );
162	}
163	}
164	if ( ! empty( $terms ) ) {
165	$filters .= '&terms=' . wp_json_encode( $terms, JSON_UNESCAPED_SLASHES \| JSON_HEX_TAG \| JSON_HEX_AMP );
166	}
167	return $filters;
168	}
169
170	/**
171	* Build the Stats tracking details.
172	*
173	* @since 0.6.0
174	*
175	* @access private
176	* @param array $data Array of data for the AMP pixel tracker.
177	* @return string
178	*/
179	private static function build_stats_details( $data ) {
180	$data_stats_array = self::stats_array_to_string( $data );
181
182	return sprintf(
183	'_stq = window._stq \|\| [];
184	_stq.push([ "view", %1$s ]);
185	_stq.push([ "clickTrackerInit", "%2$s", "%3$s" ]);',
186	$data_stats_array,
187	$data['blog'],
188	$data['post']
189	);
190	}
191
192	/**
193	* Add fetchpriority="low" to the Stats script attributes.
194	*
195	* Reduces network contention with resources in the critical rendering path (e.g., the LCP
196	* element image). This benefits Safari and Firefox, which don't automatically assign low
197	* priority to async/defer scripts (unlike Chrome).
198	*
199	* @since $$next-version$$
200	*
201	* @param array $attributes Script tag attributes.
202	* @return array Modified attributes.
203	*/
204	public static function add_low_fetchpriority( $attributes ) {
205	// WordPress derives the tag id from the enqueue handle as "{handle}-js", so the
206	// 'jetpack-stats' script (registered in enqueue_stats_script()) prints as
207	// 'jetpack-stats-js'. Keep this in sync if the handle is ever renamed.
208	if ( isset( $attributes['id'] ) && 'jetpack-stats-js' === $attributes['id'] ) {
209	$attributes['fetchpriority'] = 'low';
210	}
211	return $attributes;
212	}
213
214	/**
215	* Remove the dns-prefetch resource hint for stats.wp.com.
216	*
217	* WordPress automatically adds dns-prefetch hints for enqueued script hosts via
218	* wp_dependencies_unique_hosts(). Since we're deprioritizing the stats script,
219	* the dns-prefetch is counterproductive — it front-loads DNS resolution for a
220	* resource we're intentionally delaying.
221	*
222	* @since $$next-version$$
223	*
224	* @param array $urls Array of resource hint URLs.
225	* @param string $relation_type The relation type (dns-prefetch, preconnect, etc.).
226	* @return array Filtered URLs.
227	*/
228	public static function remove_stats_dns_prefetch( $urls, $relation_type ) {
229	if ( 'dns-prefetch' !== $relation_type ) {
230	return $urls;
231	}
232
233	return array_filter(
234	$urls,
235	static function ( $url ) {
236	// Resource hints can be arrays that carry the URL under an 'href' key.
237	if ( is_array( $url ) ) {
238	$candidate = ( isset( $url['href'] ) && is_string( $url['href'] ) ) ? $url['href'] : '';
239	} elseif ( is_string( $url ) ) {
240	$candidate = $url;
241	} else {
242	return true; // Unknown entry shape; leave it untouched.
243	}
244
245	// dns-prefetch entries arrive in several shapes: WordPress core emits bare
246	// hosts ('stats.wp.com') via wp_dependencies_unique_hosts(), while other
247	// filters may add scheme-relative ('//stats.wp.com') or full URLs. Normalize
248	// each to a host so we drop stats.wp.com exactly without removing look-alike
249	// hosts such as 'mystats.wp.com' or 'stats.wp.com.evil.tld'.
250	if ( str_starts_with( $candidate, '//' ) ) {
251	$host = wp_parse_url( 'https:' . $candidate, PHP_URL_HOST );
252	} elseif ( str_contains( $candidate, '://' ) ) {
253	$host = wp_parse_url( $candidate, PHP_URL_HOST );
254	} else {
255	$host = $candidate; // Bare host form, e.g. 'stats.wp.com'.
256	}
257
258	return ! is_string( $host ) \|\| 'stats.wp.com' !== strtolower( $host );
259	}
260	);
261	}
262
263	/**
264	* Enqueue the Stats pixel.
265	* Do not use this function directly, it is hooked into `wp_enqueue_scripts`.
266	*
267	* @access public
268	* @return void
269	*/
270	public static function enqueue_stats_script() {
271	if ( self::is_amp_request() ) {
272	return;
273	}
274
275	wp_enqueue_script(
276	'jetpack-stats',
277	'https://stats.wp.com/e-' . gmdate( 'YW' ) . '.js',
278	array(),
279	null, // phpcs:ignore WordPress.WP.EnqueuedResourceParameters.MissingVersion -- The version is set in the URL.
280	array(
281	'in_footer' => true,
282	'strategy' => 'defer',
283	)
284	);
285	add_filter( 'wp_script_attributes', array( static::class, 'add_low_fetchpriority' ) );
286	add_filter( 'wp_resource_hints', array( static::class, 'remove_stats_dns_prefetch' ), 100, 2 );
287
288	$data = self::build_view_data();
289
290	/**
291	* Filter the parameters added to the JavaScript stats tracking code.
292	*
293	* @module stats
294	*
295	* @since-jetpack 10.9
296	*
297	* @param array $data Array of options about the site and page you're on.
298	*/
299	$data = (array) apply_filters( 'jetpack_stats_footer_js_data', $data );
300
301	$triggers = self::build_stats_details( $data );
302	wp_add_inline_script(
303	'jetpack-stats',
304	$triggers,
305	'before'
306	);
307	}
308
309	/**
310	* Gets the stats footer for AMP output.
311	*
312	* @access private
313	* @param array $data Array of data for the AMP pixel tracker.
314	* @return string Returns the footer to add for the Stats tracker in an AMP scenario.
315	*/
316	private static function get_amp_footer( $data ) {
317	/**
318	* Filter the parameters added to the AMP pixel tracking code.
319	*
320	* @module stats
321	*
322	* @since-jetpack 10.9
323	*
324	* @param array $data Array of options about the site and page you're on.
325	*/
326	$data = (array) apply_filters( 'jetpack_stats_footer_amp_data', $data );
327
328	$data['host'] = isset( $_SERVER['HTTP_HOST'] ) ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_HOST'] ) ) : ''; // input var ok.
329	$data['rand'] = 'RANDOM'; // AMP placeholder.
330	$data['ref'] = 'DOCUMENT_REFERRER'; // AMP placeholder.
331	$data = array_map( 'rawurlencode', $data );
332	$pixel_url = add_query_arg( $data, 'https://pixel.wp.com/g.gif' );
333	return '<amp-pixel src="' . esc_url( $pixel_url ) . '"></amp-pixel>';
334	}
335
336	/**
337	* Build an AMP pixel.
338	* Do not use this function directly, it is hooked into `wp_footer`.
339	*
340	* @access public
341	* @return void
342	*/
343	public static function add_amp_pixel() {
344	$data = self::build_view_data();
345	if ( ! self::is_amp_request() ) {
346	return;
347	}
348
349	$pixel = self::get_amp_footer( $data );
350	echo $pixel; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
351	}
352
353	/**
354	* Stats Footer.
355	*
356	* @deprecated 0.6.0
357	*
358	* @access public
359	* @return void
360	*/
361	public static function add_to_footer() {
362	_deprecated_function( __METHOD__, '0.6.0' );
363	}
364
365	/**
366	* Gets the footer to add for the Stats tracker.
367	*
368	* @deprecated 0.6.0
369	*
370	* @access public
371	* @param array $data Array of data for the JS stats tracker.
372	* @return void
373	*/
374	public static function get_footer_to_add( $data ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
375	_deprecated_function( __METHOD__, '0.6.0' );
376	}
377
378	/**
379	* Render the stats footer. Kept for backward compatibility on legacy AMF views.
380	*
381	* @deprecated 0.6.0
382	*
383	* @access public
384	* @param array $data Array of data for the JS stats tracker.
385	*/
386	public static function render_footer( $data ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable
387	_deprecated_function( __METHOD__, '0.6.0' );
388	}
389
390	/**
391	* Render the stats footer for AMP output. Kept for backward compatibility.
392	*
393	* @access public
394	* @param array $data Array of data for the AMP pixel tracker.
395	*/
396	public static function render_amp_footer( $data ) {
397	print self::get_amp_footer( $data ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
398	}
399
400	/**
401	* Creates the "array" string used as part of the JS tracker.
402	*
403	* @access private
404	* @param array $kvs Array of options about the site and page you're on.
405	* @return string
406	*/
407	private static function stats_array_to_string( $kvs ) {
408	/**
409	* Filters the options added to the JavaScript Stats tracking code.
410	*
411	* @since-jetpack 1.1.0
412	*
413	* @param array $kvs Array of options about the site and page you're on.
414	*/
415	$kvs = (array) apply_filters( self::STATS_ARRAY_TO_STRING_FILTER, $kvs );
416	$kvs = array_map( 'strval', $kvs );
417
418	// Encode into JSON object for direct use in JS.
419	return wp_json_encode( $kvs, JSON_UNESCAPED_SLASHES \| JSON_HEX_TAG \| JSON_HEX_AMP );
420	}
421
422	/**
423	* Does the page return AMP content.
424	*
425	* @return bool $is_amp_request Are we on AMP view.
426	*/
427	private static function is_amp_request() {
428	$is_amp_request = ( function_exists( 'amp_is_request' ) && amp_is_request() );
429	$is_amp_request = $is_amp_request \|\| ( function_exists( 'ampforwp_is_amp_endpoint' ) && ampforwp_is_amp_endpoint() );
430
431	/**
432	* Returns true if the current request should return valid AMP content.
433	*
434	* @since 6.2.0
435	*
436	* @param boolean $is_amp_request Is this request supposed to return valid AMP content?
437	*/
438	return apply_filters( 'jetpack_is_amp_request', $is_amp_request );
439	}
440	}