when a token is configured. * * The Search Console field is paste-tolerant: the admin can paste the full * tag, just the verification token, or a verification-file URL — * the sanitizer extracts the bare ID either way. * * Group: `frontend` (alongside Favicon, Menu Visibility — modules that * inject markup on the public-facing site). * * @package BW_Dev */ class BW_Dev_Module_Analytics implements BW_Dev_Module_Interface { public function slug(): string { return 'analytics'; } public function label(): string { return __( 'Analytics', 'bw-dev' ); } public function group(): string { return 'frontend'; } public function default_settings(): array { return array( // GTM emission is keyed off `gtm_id`: non-empty -> emit, empty -> skip. // No separate toggle. To pause GTM, clear the ID (or disable the // whole Analytics module on the Modules tab). 'gtm_id' => '', 'search_console_id' => '', ); } public function sanitize( array $data ): array { $out = $this->default_settings(); $raw_gtm = isset( $data['gtm_id'] ) ? trim( wp_unslash( (string) $data['gtm_id'] ) ) : ''; $out['gtm_id'] = (string) preg_replace( '/[^A-Za-z0-9_-]/', '', $raw_gtm ); $raw_sc = isset( $data['search_console_id'] ) ? wp_unslash( (string) $data['search_console_id'] ) : ''; $out['search_console_id'] = $this->extract_search_console_id( (string) $raw_sc ); return $out; } public function register(): void { add_action( 'wp_head', array( $this, 'output_head' ), 1 ); add_action( 'wp_body_open', array( $this, 'output_body' ), 1 ); } public function uninstall(): void { // Root option drop in uninstall.php handles persisted state. } // ------------------------------------------------------------------- // Frontend output // ------------------------------------------------------------------- public function output_head(): void { $settings = $this->get_settings(); $gtm = (string) $settings['gtm_id']; if ( '' !== $gtm ) { echo "\n\n"; echo "\n"; echo "\n"; } if ( '' !== (string) $settings['search_console_id'] ) { printf( '' . "\n", esc_attr( (string) $settings['search_console_id'] ) ); } } public function output_body(): void { $settings = $this->get_settings(); $gtm = (string) $settings['gtm_id']; if ( '' === $gtm ) { return; } echo "\n\n"; echo '' . "\n"; echo "\n"; } // ------------------------------------------------------------------- // Helpers // ------------------------------------------------------------------- private function get_settings(): array { $saved = (array) bw_dev()->settings()->get( $this->slug(), null, array() ); return wp_parse_args( $saved, $this->default_settings() ); } /** * Tolerant Search Console token extractor. Accepts: * - the full tag * - just the bare verification token * - a verification-file URL or filename (e.g. "google1234abcd.html") * * Returns the cleanest possible token, stripped of unsafe characters. */ private function extract_search_console_id( string $raw ): string { $raw = trim( $raw ); if ( '' === $raw ) { return ''; } // 1. Full meta tag (single or double quotes). if ( preg_match( '/content\s*=\s*["\']([^"\']+)["\']/i', $raw, $m ) ) { return (string) preg_replace( '/[^A-Za-z0-9_=\\-]/', '', $m[1] ); } // 2. URL or bare filename ending in .html — the verification-file // method. Strip any path + extension, leave the base name. $leaf = basename( $raw ); if ( preg_match( '/^([A-Za-z0-9_=\\-]+)\.html?$/i', $leaf, $m ) ) { return $m[1]; } // 3. Raw token — sanitize down to the allowed char set. return (string) preg_replace( '/[^A-Za-z0-9_=\\-]/', '', $raw ); } // ------------------------------------------------------------------- // Settings tab // ------------------------------------------------------------------- public function render_tab(): void { $settings = $this->get_settings(); $name_prefix = BW_Dev_Settings::OPTION . '[' . $this->slug() . ']'; ?>