' . esc_html( $message ) . ''
);
exit;
}
/**
* Render the form (GET).
*/
private static function render_form() {
self::send_robots_header();
status_header( 200 );
nocache_headers();
$team_post_type = BW_Schema_Team_Member::get_team_post_type();
$team_members = self::get_team_member_choices( $team_post_type );
$questions = BW_Schema_Survey::survey_questions();
$intro_html = wp_kses_post( (string) get_option( BW_Schema_Survey::OPT_INTRO_HTML, BW_Schema_Survey::default_intro_html() ) );
$timing_token = self::create_timing_token();
$nonce = wp_create_nonce( self::NONCE_ACTION );
$action_url = esc_url( BW_Schema_Survey::public_url() );
ob_start();
include BW_SCHEMA_PLUGIN_DIR . 'admin/views/survey-public-form.php';
$body = ob_get_clean();
self::render_shell( esc_html__( 'Team profile survey', 'bw-ai-schema-pro' ), $body );
exit;
}
/**
* Render the "thanks" page after a successful (or honeypot-trapped) submit.
*/
private static function render_thanks() {
self::send_robots_header();
status_header( 200 );
nocache_headers();
self::render_shell(
esc_html__( 'Thanks!', 'bw-ai-schema-pro' ),
'' . esc_html__( "Thanks for sharing your info. A moderator will review your submission before anything is published.", 'bw-ai-schema-pro' ) . '
'
);
exit;
}
/**
* Render an error page and exit (used for invalid submissions, etc.).
*/
private static function render_error( $message, $http_code = 400 ) {
self::send_robots_header();
status_header( $http_code );
nocache_headers();
self::render_shell(
esc_html__( 'Submission rejected', 'bw-ai-schema-pro' ),
'' . esc_html( $message ) . '
'
);
exit;
}
/**
* Minimal HTML shell — does not load the active theme. Robots-blocked.
*/
private static function render_shell( $title, $body_html ) {
$site_name = esc_html( get_bloginfo( 'name' ) );
$css_url = esc_url( BW_SCHEMA_PLUGIN_URL . 'assets/survey-public.css?ver=' . rawurlencode( BW_SCHEMA_VERSION ) );
header( 'Content-Type: text/html; charset=' . get_bloginfo( 'charset' ) );
?>
>
<?php echo $title; // already escaped at call site ?> — <?php echo $site_name; ?>
post_type !== $tpt ) {
self::render_error( __( "We couldn't find the team member you selected.", 'bw-ai-schema-pro' ) );
}
} else {
$target_post_id = 0; // holding queue
}
// Validate + collect answers.
$questions = BW_Schema_Survey::survey_questions();
$payload = array();
$errors = array();
foreach ( $questions as $q ) {
$raw = isset( $_POST[ $q['key'] ] ) ? wp_unslash( $_POST[ $q['key'] ] ) : '';
$payload[ $q['key'] ] = self::sanitize_answer( $q, $raw );
if ( ! empty( $q['required'] ) ) {
$is_empty = is_array( $payload[ $q['key'] ] )
? empty( $payload[ $q['key'] ] )
: ( '' === trim( (string) $payload[ $q['key'] ] ) );
// "full_name" is only required for holding-queue submissions; for
// linked submissions, name is taken from the existing team CPT title.
if ( 'full_name' === $q['key'] && ! $is_holding_queue ) {
continue;
}
if ( $is_empty ) {
$errors[] = sprintf(
/* translators: %s: field label */
__( '"%s" is required.', 'bw-ai-schema-pro' ),
$q['label']
);
}
}
}
if ( ! empty( $errors ) ) {
self::render_error( implode( ' ', $errors ) );
}
// Derive submitter name from the chosen team CPT title if linked.
if ( ! $is_holding_queue && $target_post_id ) {
$submitter_name = get_the_title( $target_post_id );
} else {
$submitter_name = isset( $payload['full_name'] ) ? (string) $payload['full_name'] : '';
}
// Submitter email (separate from "public email" — used for audit / contact only).
$submitter_email = isset( $_POST['submitter_email'] ) ? sanitize_email( wp_unslash( $_POST['submitter_email'] ) ) : '';
// Store.
$id = BW_Schema_Survey_Store::insert( array(
'target_post_id' => $target_post_id ?: null,
'submitter_name' => $submitter_name,
'submitter_email' => $submitter_email ?: null,
'submitter_ip' => $ip,
'raw_payload' => $payload,
) );
if ( ! $id ) {
self::render_error( __( "We couldn't save your submission. Please try again, and contact the site owner if it keeps failing.", 'bw-ai-schema-pro' ), 500 );
}
self::record_rate_hit( $ip );
self::maybe_notify_moderator( $id, $submitter_name, $target_post_id );
self::render_thanks();
}
/* ---------------- Sanitization ---------------- */
private static function sanitize_answer( array $question, $raw ) {
switch ( $question['type'] ) {
case 'textarea':
return sanitize_textarea_field( (string) $raw );
case 'number':
if ( '' === $raw || null === $raw ) {
return '';
}
return max( 0, intval( $raw ) );
case 'email':
return sanitize_email( (string) $raw );
case 'tel':
// Allow digits, +, spaces, parens, dashes.
return preg_replace( '/[^0-9\+\-\(\)\s]/', '', (string) $raw );
case 'url':
return esc_url_raw( (string) $raw );
case 'url-list':
$lines = is_array( $raw ) ? $raw : preg_split( '/[\r\n]+/', (string) $raw );
$clean = array();
foreach ( $lines as $line ) {
$line = trim( (string) $line );
if ( '' === $line ) {
continue;
}
$url = esc_url_raw( $line );
if ( $url ) {
$clean[] = $url;
}
}
return $clean;
case 'text':
default:
return sanitize_text_field( (string) $raw );
}
}
/* ---------------- Team CPT picker data ---------------- */
private static function get_team_member_choices( $post_type ) {
if ( ! $post_type ) {
return array();
}
$posts = get_posts( array(
'post_type' => $post_type,
'post_status' => array( 'publish', 'draft', 'private' ),
'numberposts' => 200,
'orderby' => 'title',
'order' => 'ASC',
'fields' => 'ids',
'suppress_filters' => false,
) );
$out = array();
foreach ( $posts as $pid ) {
$out[] = array(
'id' => (int) $pid,
'title' => get_the_title( $pid ),
);
}
return $out;
}
/* ---------------- Rate limit ---------------- */
private static function client_ip() {
if ( ! empty( $_SERVER['REMOTE_ADDR'] ) && filter_var( $_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP ) ) {
return (string) $_SERVER['REMOTE_ADDR'];
}
return '0.0.0.0';
}
private static function rate_key( $ip ) {
return self::RATE_LIMIT_KEY . md5( $ip );
}
private static function within_rate_limit( $ip ) {
$count = (int) get_transient( self::rate_key( $ip ) );
return $count < self::RATE_MAX;
}
private static function record_rate_hit( $ip ) {
$key = self::rate_key( $ip );
$count = (int) get_transient( $key );
$count++;
set_transient( $key, $count, HOUR_IN_SECONDS );
}
/* ---------------- Time-trap token ---------------- */
private static function create_timing_token() {
$ts = time();
$hash = self::sign_timing( $ts );
return $ts . '.' . $hash;
}
private static function verify_timing_token( $token ) {
if ( ! is_string( $token ) || strpos( $token, '.' ) === false ) {
return false;
}
list( $ts, $hash ) = array_pad( explode( '.', $token, 2 ), 2, '' );
$ts = absint( $ts );
if ( ! $ts || ! is_string( $hash ) ) {
return false;
}
if ( ! hash_equals( self::sign_timing( $ts ), $hash ) ) {
return false;
}
$elapsed = time() - $ts;
if ( $elapsed < self::TIME_TRAP_MIN ) {
return false;
}
if ( $elapsed > self::TIME_TRAP_MAX ) {
return false;
}
return true;
}
private static function sign_timing( $ts ) {
$key = wp_salt( 'auth' ) . BW_Schema_Survey::get_token();
return hash_hmac( 'sha256', (string) $ts, $key );
}
/* ---------------- Moderator notification ---------------- */
private static function maybe_notify_moderator( $response_id, $submitter_name, $target_post_id ) {
if ( ! get_option( BW_Schema_Survey::OPT_NOTIFY_ENABLED, 0 ) ) {
return;
}
$to = sanitize_email( (string) get_option( BW_Schema_Survey::OPT_NOTIFY_EMAIL, get_option( 'admin_email' ) ) );
if ( ! $to ) {
return;
}
$site = wp_specialchars_decode( get_bloginfo( 'name' ), ENT_QUOTES );
$subject = sprintf(
/* translators: %s: site name */
__( '[%s] New team-survey submission', 'bw-ai-schema-pro' ),
$site
);
$target_label = $target_post_id
? sprintf(
/* translators: %s: team member name */
__( 'Linked to: %s', 'bw-ai-schema-pro' ),
get_the_title( $target_post_id )
)
: __( 'In holding queue (new team member).', 'bw-ai-schema-pro' );
$detail_url = admin_url( 'options-general.php?page=bw-ai-schema-survey-detail&id=' . absint( $response_id ) );
$lines = array(
sprintf( __( 'A new team-survey response was submitted by %s.', 'bw-ai-schema-pro' ), $submitter_name ),
$target_label,
'',
__( 'Review:', 'bw-ai-schema-pro' ) . ' ' . $detail_url,
);
wp_mail( $to, $subject, implode( "\n", $lines ) );
}
}