// phpcs:disable Generic.Commenting.DocComment.MissingShort
/** @noinspection PhpIllegalPsrClassPathInspection */
/** @noinspection AutoloadingIssuesInspection */
// phpcs:enable Generic.Commenting.DocComment.MissingShort
// phpcs:ignore WPForms.PHP.UseStatement.UnusedUseStatement
use WPForms\Emails\Mailer;
use WPForms\Emails\Notifications;
* Process and validate form entries.
public $confirmation_message;
* Store formatted fields.
* Store the ID of a successful entry.
* Form data and settings.
* If a valid return has been processed.
public $valid_hash = false;
* @var mixed|Mailer|WPForms_WP_Emails|null
* Primary class constructor.
public function __construct() {
private function hooks() {
add_action( 'wp', [ $this, 'listen' ] );
add_action( 'wp_ajax_wpforms_submit', [ $this, 'ajax_submit' ] );
add_action( 'wp_ajax_nopriv_wpforms_submit', [ $this, 'ajax_submit' ] );
add_filter( 'wpforms_ajax_submit_redirect', [ $this, 'maybe_open_in_new_tab' ] );
add_filter( 'wpforms_smarttags_process_value', [ Notifications::class, 'filter_smarttags_process_value' ], PHP_INT_MAX, 6 );
* Listen to see if this is a return callback or a posted form entry.
public function listen() {
// Catch the post_max_size overflow.
if ( $this->post_max_size_overflow() ) {
// phpcs:disable WordPress.Security.NonceVerification
if ( ! empty( $_GET['wpforms_return'] ) ) {
// Additional redirect trigger for addons.
$this->entry_confirmation_redirect( '', sanitize_text_field( wp_unslash( $_GET['wpforms_return'] ) ) );
$form_id = ! empty( $_POST['wpforms']['id'] ) ? absint( $_POST['wpforms']['id'] ) : 0;
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
$this->process( wp_unslash( $_POST['wpforms'] ) );
// phpcs:enable WordPress.Security.NonceVerification
* Runs right after the processing form entry.
* @param array $fields Entry fields data.
* @param array $entry_id Entry ID.
* @param array $form_data Form data.
do_action( 'wpforms_process_after', $this->fields, $this->entry_id, $this->form_data );
if ( ! wpforms_is_amp() ) {
// Send 400 Bad Request when there are errors.
if ( empty( $this->errors[ $form_id ] ) ) {
$this->entry_confirmation_redirect( $this->form_data );
'message' => $this->get_confirmation_message( $this->form_data, $this->fields, $this->entry_id ),
$message_parts = [ $this->errors[ $form_id ]['header'] ];
if ( ! empty( $this->errors[ $form_id ]['recaptcha'] ) ) {
$message_parts[] = $this->errors[ $form_id ]['recaptcha'];
if ( ! empty( $this->errors[ $form_id ]['footer'] ) ) {
$message_parts[] = $this->errors[ $form_id ]['footer'];
'message' => implode( '<br>', $message_parts ),
* Process the form entry.
* @since 1.6.4 Added hCaptcha support.
* @param array $entry Form submission raw data ($_POST).
* @noinspection HtmlUnknownTarget
public function process( $entry ) { // phpcs:ignore Generic.Metrics.CyclomaticComplexity.MaxExceeded, Generic.Metrics.NestingLevel.MaxExceeded
/* @var int $form_id Annotate the type explicitly. */
$form_id = absint( $entry['id'] );
$form = wpforms()->obj( 'form' )->get( $form_id );
// Validate form is real and active (published).
if ( ! $form || $form->post_status !== 'publish' ) {
$this->errors[ $form_id ]['header'] = esc_html__( 'Invalid form.', 'wpforms-lite' );
* Filter form data obtained during the form process.
* @param array $form_data Form data.
* @param array $entry Form entry.
$this->form_data = (array) apply_filters( 'wpforms_process_before_form_data', wpforms_decode( $form->post_content ), $entry );
if ( ! empty( $this->form_data['settings']['ajax_submit'] ) && ! $this->is_valid_ajax_submit_action() ) {
'Attempt to submit corrupted post data.',
'type' => [ 'error', 'entry' ],
'form_id' => $this->form_data['id'],
$this->errors[ $form_id ]['header'] = esc_html__( 'Attempt to submit corrupted post data.', 'wpforms-lite' );
$store_spam_entries = ! empty( $this->form_data['settings']['store_spam_entries'] );
* Check the modern Anti-Spam (v3) protection.
* Run as early as possible to remove the honeypot field from the entry to prevent unnecessary field processing.
* Bail early if the form is marked as spam and storing spam entries is disabled.
* Important! We should check first on modern Anti-Spam because it is skipped in case $store_spam_entries === true.
// phpcs:ignore Generic.Commenting.DocComment.MissingShort
/** @noinspection NotOptimalIfConditionsInspection */
if ( ! $this->modern_anti_spam_check( $entry ) && ! $store_spam_entries ) {
if ( ! isset( $this->form_data['fields'], $this->form_data['id'] ) ) {
$error_id = uniqid( '', true );
// Logs missing form data.
/* translators: %s - error unique ID. */
sprintf( esc_html__( 'Missing form data on form submission process %s', 'wpforms-lite' ), $error_id ),
esc_html__( 'Form data is not an array in `\WPForms_Process::process()`. It might be caused by incorrect data returned by `wpforms_process_before_form_data` filter. Verify whether you have a custom code using this filter and debug value it is returning.', 'wpforms-lite' ),
'type' => [ 'error', 'entry' ],
$error_messages[] = esc_html__( 'Your form has not been submitted because data is missing from the entry.', 'wpforms-lite' );
if ( wpforms_setting( 'logs-enable' ) && wpforms_current_user_can( wpforms_get_capability_manage_options() ) ) {
$error_messages[] = sprintf(
wp_kses( /* translators: %s - URL to the WForms Logs admin page. */
__( 'Check the WPForms » Tools » <a href="%s">Logs</a> for more details.', 'wpforms-lite' ),
[ 'a' => [ 'href' => [] ] ]
'page' => 'wpforms-tool',
/* translators: %s - error unique ID. */
$error_messages[] = sprintf( esc_html__( 'Error ID: %s.', 'wpforms-lite' ), $error_id );
$errors[ $form_id ]['header'] = implode( '<br>', $error_messages );
* Filter form entry before processing.
* Data are not validated or cleaned yet, so use them with caution.
* @param array $entry Form submission raw data ($_POST).
* @param array $form_data Form data.
$entry = apply_filters( 'wpforms_process_before_filter', $entry, $this->form_data );
* @param array $entry Form submission raw data ($_POST).
* @param array $form_data Form data.
do_action( 'wpforms_process_before', $entry, $this->form_data );
* Pre-process hook by form ID.
* @param array $entry Form submission raw data ($_POST).
* @param array $form_data Form data.
do_action( "wpforms_process_before_{$form_id}", $entry, $this->form_data );
foreach ( $this->form_data['fields'] as $field_properties ) {
$field_id = $field_properties['id'];
$field_type = $field_properties['type'];
$field_submit = $entry['fields'][ $field_id ] ?? '';
* Field type validation hook.
* @param string|int $field_id Field ID as a numeric string.
* @param mixed $field_submit Submitted field value (raw data).
* @param array $form_data Form data.
do_action( "wpforms_process_validate_{$field_type}", $field_id, $field_submit, $this->form_data );
// Check if combined upload size exceeds allowed maximum.
$this->validate_combined_upload_size( $form );
* Don't proceed if there are any errors thus far.
* We provide a filter so that other features, such as conditional logic, can adjust blocking errors.
* @param array $errors List of errors.
* @param array $form_data Form data.
$errors = apply_filters( 'wpforms_process_initial_errors', $this->errors, $this->form_data );
if ( isset( $_POST['__amp_form_verify'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing
if ( empty( $errors[ $form_id ] ) ) {
foreach ( $errors[ $form_id ] as $field_id => $error_fields ) {
$field = $this->form_data['fields'][ $field_id ];
$field_properties = wpforms()->obj( 'frontend' )->get_field_properties( $field, $this->form_data );
if ( is_string( $error_fields ) ) {
if ( $field['type'] === 'checkbox' || $field['type'] === 'radio' || $field['type'] === 'select' ) {
$first = current( $field_properties['inputs'] );
$name = $first['attr']['name'];
} elseif ( isset( $field_properties['inputs']['primary']['attr']['name'] ) ) {
$name = $field_properties['inputs']['primary']['attr']['name'];
'message' => $error_fields,
foreach ( $error_fields as $error_field => $error_message ) {
$name = $field_properties['inputs'][ $error_field ]['attr']['name'] ?? '';
'message' => $error_message,
'verifyErrors' => $verify_errors,
if ( ! empty( $errors[ $form_id ] ) ) {
if ( empty( $errors[ $form_id ]['header'] ) && empty( $errors[ $form_id ]['footer'] ) ) {
$errors[ $form_id ]['header'] = esc_html__( 'Form has not been submitted, please see the errors below.', 'wpforms-lite' );
// If a logged-in user fails the nonce check, we want to log the entry, disable the errors and fail silently.
// Please note that logs may be disabled, and in this case, nothing will be logged or reported.
( empty( $entry['nonce'] ) || ! wp_verify_nonce( $entry['nonce'], "wpforms::form_{$form_id}" ) )
// Logs XSS attempt depending on log levels set.
'Cross-site scripting attempt ' . uniqid( '', true ),
'type' => [ 'security' ],
'form_id' => $this->form_data['id'],
$this->errors[ $this->form_data['id'] ]['footer_styled'] = esc_html__( 'The form could not be submitted due to a security issue.', 'wpforms-lite' );
foreach ( (array) $this->form_data['fields'] as $field_properties ) {
$field_id = $field_properties['id'];
$field_type = $field_properties['type'];
$field_submit = $entry['fields'][ $field_id ] ?? '';
* @param string $field_id Field ID.
* @param string $field_submit Submitted field value.
* @param array $form_data Form data and settings.
do_action( "wpforms_process_format_{$field_type}", $field_id, $field_submit, $this->form_data );
$honeypot = wpforms()->obj( 'honeypot' )->validate( $this->form_data, $this->fields, $entry );
// If we trigger the honey pot, we want to log the entry, disable the errors, and fail silently.
$this->log_spam_entry( $entry, $honeypot );
$token = wpforms()->obj( 'token' )->validate( $this->form_data, $this->fields, $entry );
// If spam - return early.
// For antispam, we want to make sure that we have a value, we are not using AMP, and the value is an error string.
if ( $token && is_string( $token ) && ! wpforms_is_amp() ) {
$this->errors[ $this->form_data['id'] ]['header'] = $token;
$this->log_spam_entry( $entry, $token );
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
