Antispam improvements

_typos.toml

@@ -14,6 +14,10 @@ check-file = false
 extend-glob = ["*.xml"]
 check-file = false
 
+[type.txt]
+extend-glob = ["denylist/*.txt"]
+check-file = false
+
 [default]
 extend-ignore-re = [
     "/mis'",

classes/controllers/FrmAntiSpamController.php

@@ -0,0 +1,128 @@
+<?php
+/**
+ * Anti-spam controller
+ *
+ * @package Formidable
+ * @since x.x
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+	die( 'You are not allowed to call this page directly.' );
+}
+
+class FrmAntiSpamController {
+
+	/**
+	 * Checks if given entry values is spam.
+	 *
+	 * @param array $values Entry values.
+	 *
+	 * @return bool|string Return spam message if is spam or `false` if is not spam.
+	 */
+	public static function is_spam( $values ) {
+		$methods = array(
+			'contains_wp_disallowed_words',
+			'is_denylist_spam',
+			'is_stopforumspam_spam',
+			'is_wp_comment_spam',
+		);
+
+		foreach ( $methods as $method ) {
+			if ( ! is_callable( array( __CLASS__, $method ) ) ) {
+				continue;
+			}
+
+			$is_spam = call_user_func( array( __CLASS__, $method ), $values );
+			if ( $is_spam ) {
+				return $is_spam;
+			}
+		}
+
+		return false;
+	}
+
+	/**
+	 * Checks spam using stopforumspam API.
+	 *
+	 * @param array $values Entry values.
+	 *
+	 * @return bool|string Return spam message if is spam or `false` if is not spam.
+	 */
+	private static function is_stopforumspam_spam( $values ) {
+		$spam_check = new FrmSpamCheckStopForumSpam( $values );
+		return $spam_check->is_spam();
+	}
+
+	/**
+	 * Checks spam using WordPress spam comments.
+	 *
+	 * @param array $values Entry values.
+	 *
+	 * @return bool|string Return spam message if is spam or `false` if is not spam.
+	 */
+	private static function is_wp_comment_spam( $values ) {
+		$spam_check = new FrmSpamCheckUseWPComments( $values );
+		return $spam_check->is_spam();
+	}
+
+	/**
+	 * Checks spam using WordPress disallowed words.
+	 *
+	 * @param array $values Entry values.
+	 *
+	 * @return bool|string Return spam message if is spam or `false` if is not spam.
+	 */
+	public static function contains_wp_disallowed_words( $values ) {
+		$spam_check = new FrmSpamCheckWPDisallowedWords( $values );
+		return $spam_check->is_spam();
+	}
+
+	/**
+	 * Checks spam using denylist.
+	 *
+	 * @param array $values Entry values.
+	 *
+	 * @return bool|string Return spam message if is spam or `false` if is not spam.
+	 */
+	public static function is_denylist_spam( $values ) {
+		$spam_check = new FrmSpamCheckDenylist( $values );
+		return $spam_check->is_spam();
+	}
+
+	/**
+	 * Gets spam message.
+	 *
+	 * @return string
+	 */
+	public static function get_default_spam_message() {
+		return __( 'Your entry appears to be spam!', 'formidable' );
+	}
+
+	/**
+	 * Extracts email addresses from values.
+	 *
+	 * @param array $values Values to check.
+	 * @return string[]
+	 */
+	public static function extract_emails_from_values( $values ) {
+		$values = FrmAppHelper::maybe_json_encode( $values );
+		preg_match_all( '/[\._a-zA-Z0-9-]+@[\._a-zA-Z0-9-]+/i', $values, $matches );
+		return $matches[0];
+	}
+
+	/**
+	 * Gets allowed IP addresses.
+	 *
+	 * @return string[]
+	 */
+	public static function get_allowed_ips() {
+		/**
+		 * Filter the allowed IP addresses.
+		 *
+		 * @since x.x
+		 *
+		 * @params string[] $allowed_ips Allowed IP addresses.
+		 */
+		return apply_filters( 'frm_allowed_ips', array( '', '127.0.0.1', '::1' ) );
+	}
+}

classes/controllers/FrmFormsController.php

@@ -1543,7 +1543,7 @@ public static function render_spam_settings( $values ) {
 		if ( function_exists( 'akismet_http_post' ) ) {
 			include FrmAppHelper::plugin_path() . '/classes/views/frm-forms/spam-settings/akismet.php';
 		}
-		include FrmAppHelper::plugin_path() . '/classes/views/frm-forms/spam-settings/honeypot.php';
+		include FrmAppHelper::plugin_path() . '/classes/views/frm-forms/spam-settings/stopforumspam.php';
 		include FrmAppHelper::plugin_path() . '/classes/views/frm-forms/spam-settings/antispam.php';
 	}
 
@@ -3222,6 +3222,10 @@ public static function footer_js( $location = 'footer' ) {
 			// load formidable js
 			wp_enqueue_script( 'formidable' );
 		}
+
+		if ( ! FrmAppHelper::is_admin() ) {
+			FrmHoneypot::maybe_print_honeypot_js();
+		}
 	}
 
 	/**

classes/controllers/FrmSettingsController.php

@@ -78,7 +78,7 @@ private static function get_settings_tabs() {
 			'captcha'       => array(
 				'class'    => __CLASS__,
 				'function' => 'captcha_settings',
-				'name'     => __( 'Captcha', 'formidable' ),
+				'name'     => __( 'Captcha/Spam', 'formidable' ),
 				'icon'     => 'frm_icon_font frm_shield_check_icon',
 			),
 			'white_label'   => array(

classes/helpers/FrmAppHelper.php

@@ -2528,10 +2528,12 @@ private static function maybe_clear_long_key( $key, $column ) {
 	}
 
 	/**
+	 * @since x.x This is changed from `private` to `public`.
+	 *
 	 * @param int $num_chars
 	 * @return string
 	 */
-	private static function generate_new_key( $num_chars ) {
+	public static function generate_new_key( $num_chars ) {
 		$max_slug_value = pow( 36, $num_chars );
 
 		// We want to have at least 2 characters in the slug.

classes/helpers/FrmFormsHelper.php

@@ -394,7 +394,7 @@ public static function get_default_opts() {
 			'success_msg'      => $frm_settings->success_msg,
 			'show_form'        => 0,
 			'akismet'          => '',
-			'honeypot'         => 'basic',
+			'stopforumspam'    => 0,
 			'antispam'         => 0,
 			'no_save'          => 0,
 			'ajax_load'        => 0,
@@ -1862,6 +1862,36 @@ public static function should_block_preview( $form_key ) {
 		return $should_block;
 	}
 
+	/**
+	 * Checks if the form is loaded by API.
+	 *
+	 * @since x.x
+	 *
+	 * @return bool
+	 */
+	public static function form_is_loaded_by_api() {
+		if ( ! class_exists( 'FrmAPIAppController' ) ) {
+			return false;
+		}
+
+		$url = FrmAppHelper::get_server_value( 'REQUEST_URI' );
+		if ( 0 === strpos( $url, '/wp-json/frm/v2/forms/' ) ) {
+			// Prevent the honeypot from appearing for an API loaded form.
+			// This is to prevent conflicts where the script is not working.
+			return true;
+		}
+
+		if ( is_callable( 'FrmProFormState::get_from_request' ) ) {
+			$api = FrmProFormState::get_from_request( 'a', 0 );
+
+			if ( $api ) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
 	/**
 	 * @since 3.0
 	 * @deprecated 6.11

classes/models/FrmEntryValidate.php

@@ -415,7 +415,7 @@ private static function create_regular_expression_from_format( $pattern ) {
 	}
 
 	/**
-	 * Check for spam
+	 * Check for spam.
 	 *
 	 * @param bool  $exclude
 	 * @param array $values
@@ -428,12 +428,16 @@ public static function spam_check( $exclude, $values, &$errors ) {
 		}
 
 		$antispam_check = self::is_antispam_check( $values['form_id'] );
+		$spam_msg       = FrmAntiSpamController::get_default_spam_message();
 		if ( is_string( $antispam_check ) ) {
 			$errors['spam'] = $antispam_check;
 		} elseif ( self::is_honeypot_spam( $values ) || self::is_spam_bot() ) {
-			$errors['spam'] = __( 'Your entry appears to be spam!', 'formidable' );
-		} elseif ( self::blacklist_check( $values ) ) {
-			$errors['spam'] = __( 'Your entry appears to be blocked spam!', 'formidable' );
+			$errors['spam'] = $spam_msg;
+		} else {
+			$is_spam = FrmAntiSpamController::is_spam( $values );
+			if ( $is_spam ) {
+				$errors['spam'] = $is_spam;
+			}
 		}
 
 		if ( isset( $errors['spam'] ) || self::form_is_in_progress( $values ) ) {
@@ -507,52 +511,15 @@ private static function is_akismet_enabled_for_user( $form_id ) {
 		return ( ! empty( $form->options['akismet'] ) && ( $form->options['akismet'] !== 'logged' || ! is_user_logged_in() ) );
 	}
 
-	public static function blacklist_check( $values ) {
-		if ( ! apply_filters( 'frm_check_blacklist', true, $values ) ) {
-			return false;
-		}
-
-		$mod_keys = trim( self::get_disallowed_words() );
-		if ( empty( $mod_keys ) ) {
-			return false;
-		}
-
-		$content = FrmEntriesHelper::entry_array_to_string( $values );
-
-		self::prepare_values_for_spam_check( $values );
-		$ip         = FrmAppHelper::get_ip_address();
-		$user_agent = FrmAppHelper::get_server_value( 'HTTP_USER_AGENT' );
-		$user_info  = self::get_spam_check_user_info( $values );
-
-		return self::check_disallowed_words( $user_info['comment_author'], $user_info['comment_author_email'], $user_info['comment_author_url'], $content, $ip, $user_agent );
-	}
-
 	/**
-	 * For WP 5.5 compatibility.
+	 * Checks spam using WordPress disallowed words and Frm denylist.
 	 *
-	 * @since 4.06.02
-	 */
-	private static function check_disallowed_words( $author, $email, $url, $content, $ip, $user_agent ) {
-		if ( function_exists( 'wp_check_comment_disallowed_list' ) ) {
-			return wp_check_comment_disallowed_list( $author, $email, $url, $content, $ip, $user_agent );
-		}
-		// phpcs:ignore WordPress.WP.DeprecatedFunctions.wp_blacklist_checkFound
-		return wp_blacklist_check( $author, $email, $url, $content, $ip, $user_agent );
-	}
-
-	/**
-	 * For WP 5.5 compatibility.
+	 * @param array $values Entry values.
 	 *
-	 * @since 4.06.02
+	 * @return bool
 	 */
-	private static function get_disallowed_words() {
-		$keys = get_option( 'disallowed_keys' );
-		if ( false === $keys ) {
-			// Fallback for WP < 5.5.
-			// phpcs:ignore WordPress.WP.DeprecatedParameterValues.Found
-			$keys = get_option( 'blacklist_keys' );
-		}
-		return $keys;
+	public static function blacklist_check( $values ) {
+		return FrmAntiSpamController::contains_wp_disallowed_words( $values ) || FrmAntiSpamController::is_denylist_spam( $values );
 	}
 
 	/**
@@ -625,11 +592,12 @@ private static function add_user_info_to_akismet( &$datas, $values ) {
 	 * Gets user info for Akismet spam check.
 	 *
 	 * @since 5.0.13 Separate code for guest. Handle value of embedded|repeater.
+	 * @since x.x This changed from private to public.
 	 *
 	 * @param array $values Entry values after running through {@see FrmEntryValidate::prepare_values_for_spam_check()}.
 	 * @return array
 	 */
-	private static function get_spam_check_user_info( $values ) {
+	public static function get_spam_check_user_info( $values ) {
 		if ( ! is_user_logged_in() ) {
 			return self::get_spam_check_user_info_for_guest( $values );
 		}
@@ -924,10 +892,11 @@ private static function get_akismet_skipped_field_ids( $values ) {
 	 * Prepares values array for spam check.
 	 *
 	 * @since 5.0.13
+	 * @since x.x This changed from private to public.
 	 *
 	 * @param array $values Entry values.
 	 */
-	private static function prepare_values_for_spam_check( &$values ) {
+	public static function prepare_values_for_spam_check( &$values ) {
 		$form_ids           = self::get_all_form_ids_and_flatten_meta( $values );
 		$values['form_ids'] = $form_ids;
 	}