From 9f87cdb59b68a43bc57f6befe80b57bd90a525a0 Mon Sep 17 00:00:00 2001
From: Brandon Kraft <public@brandonkraft.com>
Date: Wed, 18 Sep 2024 09:02:03 -0500
Subject: [PATCH] Contact Form: add filter to exclude IP address from db/email
 (#39395)

* Contact Form: add filter to exclude IP address from db/email
---
 .../changelog/add-no-save-ip-contact-form     |  4 ++
 .../src/contact-form/class-contact-form.php   | 39 +++++++++++++++----
 .../contact-form/test-class.contact-form.php  | 23 +++++++++++
 3 files changed, 58 insertions(+), 8 deletions(-)
 create mode 100644 projects/packages/forms/changelog/add-no-save-ip-contact-form

diff --git a/projects/packages/forms/changelog/add-no-save-ip-contact-form b/projects/packages/forms/changelog/add-no-save-ip-contact-form
new file mode 100644
index 0000000000000..37263ad533cdd
--- /dev/null
+++ b/projects/packages/forms/changelog/add-no-save-ip-contact-form
@@ -0,0 +1,4 @@
+Significance: minor
+Type: added
+
+New filter to allow for excluding the contact form submission IP from being saved or e-mailed.
diff --git a/projects/packages/forms/src/contact-form/class-contact-form.php b/projects/packages/forms/src/contact-form/class-contact-form.php
index 9b561f2dbb576..df4123466c4df 100644
--- a/projects/packages/forms/src/contact-form/class-contact-form.php
+++ b/projects/packages/forms/src/contact-form/class-contact-form.php
@@ -1160,9 +1160,9 @@ public function process_submission() {
 
 		$contact_form_subject = trim( $contact_form_subject );
 
-		$comment_author_IP = Contact_Form_Plugin::get_ip_address(); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
+		$comment_author_ip = Contact_Form_Plugin::get_ip_address();
 
-		$vars = array( 'comment_author', 'comment_author_email', 'comment_author_url', 'contact_form_subject', 'comment_author_IP' );
+		$vars = array( 'comment_author', 'comment_author_email', 'comment_author_url', 'contact_form_subject', 'comment_author_ip' );
 		foreach ( $vars as $var ) {
 			$$var = str_replace( array( "\n", "\r" ), '', (string) $$var );
 		}
@@ -1363,6 +1363,25 @@ public function process_submission() {
 		 */
 		add_filter( 'wp_insert_post_data', array( $plugin, 'insert_feedback_filter' ), 10, 2 );
 
+		/**
+		 * Allows site owners to not include IP addresses in the saved form response.
+		 *
+		 * The IP address is still used as part of spam filtering, if enabled, but it is removed when this filter
+		 * is set to true before saving to the database and e-mailing the form recipients.
+
+		 * @module contact-form
+		 *
+		 * @param bool $remove_ip_address Should the IP address be removed. Default false.
+		 * @param string $ip_address IP address of the form submission.
+		 *
+		 * @since $$next-version$$
+		 */
+		if ( apply_filters( 'jetpack_contact_form_forget_ip_address', false, $comment_author_ip ) ) {
+			$comment_author_ip = null;
+		}
+
+		$comment_ip_text = $comment_author_ip ? "IP: {$comment_author_ip}\n" : null;
+
 		$post_id = wp_insert_post(
 			array(
 				'post_date'    => addslashes( $feedback_time ),
@@ -1371,7 +1390,7 @@ public function process_submission() {
 				'post_parent'  => $post ? (int) $post->ID : 0,
 				'post_title'   => addslashes( wp_kses( $feedback_title, array() ) ),
 				// phpcs:ignore WordPress.NamingConventions.ValidVariableName.InterpolatedVariableNotSnakeCase, WordPress.PHP.NoSilencedErrors.Discouraged, WordPress.PHP.DevelopmentFunctions.error_log_print_r
-				'post_content' => addslashes( wp_kses( "$comment_content\n<!--more-->\nAUTHOR: {$comment_author}\nAUTHOR EMAIL: {$comment_author_email}\nAUTHOR URL: {$comment_author_url}\nSUBJECT: {$subject}\nIP: {$comment_author_IP}\nJSON_DATA\n" . @wp_json_encode( $all_values, true ), array() ) ), // so that search will pick up this data
+				'post_content' => addslashes( wp_kses( "$comment_content\n<!--more-->\nAUTHOR: {$comment_author}\nAUTHOR EMAIL: {$comment_author_email}\nAUTHOR URL: {$comment_author_url}\nSUBJECT: {$subject}\n{$comment_ip_text}JSON_DATA\n" . @wp_json_encode( $all_values, true ), array() ) ), // so that search will pick up this data
 				'post_name'    => $feedback_id,
 			)
 		);
@@ -1432,11 +1451,15 @@ public function process_submission() {
 			esc_html__( 'Time: %1$s', 'jetpack-forms' ),
 			$time
 		);
-		$footer_ip = sprintf(
+		$footer_ip = null;
+		if ( $comment_author_ip ) {
+			$footer_ip = sprintf(
 			/* translators: Placeholder is the IP address of the person who submitted a form. */
-			esc_html__( 'IP Address: %1$s', 'jetpack-forms' ),
-			$comment_author_IP // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
-		);
+				esc_html__( 'IP Address: %1$s', 'jetpack-forms' ),
+				$comment_author_ip
+			) . '<br />';
+		}
+
 		$footer_url = sprintf(
 			/* translators: Placeholder is the URL of the page where a form was submitted. */
 			__( 'Source URL: %1$s', 'jetpack-forms' ),
@@ -1461,7 +1484,7 @@ public function process_submission() {
 					'<hr />',
 					'<span style="font-size: 12px">',
 					$footer_time . '<br />',
-					$footer_ip . '<br />',
+					$footer_ip ? $footer_ip . '<br />' : null,
 					$footer_url . '<br />',
 					$sent_by_text,
 					'</span>',
diff --git a/projects/packages/forms/tests/php/contact-form/test-class.contact-form.php b/projects/packages/forms/tests/php/contact-form/test-class.contact-form.php
index b43dc007a4820..bc089dc50ca83 100644
--- a/projects/packages/forms/tests/php/contact-form/test-class.contact-form.php
+++ b/projects/packages/forms/tests/php/contact-form/test-class.contact-form.php
@@ -134,6 +134,29 @@ public function test_process_submission_will_store_a_feedback_correctly_with_def
 		$this->assertStringContainsString( 'IP Address: 127.0.0.1', $email['message'] );
 	}
 
+	/**
+	 * Tests that the submission as a whole will produce something in the
+	 * database when required information is provided.
+	 *
+	 * @author tonykova
+	 */
+	public function test_process_submission_will_not_store_ip() {
+		add_filter( 'jetpack_contact_form_forget_ip_address', '__return_true' );
+		$form   = new Contact_Form( array() );
+		$result = $form->process_submission();
+
+		// Processing should be successful and produce the success message.
+		$this->assertTrue( is_string( $result ) );
+
+		$feedback_id = end( Posts::init()->posts )->ID;
+		$submission  = get_post( $feedback_id );
+
+		// Default metadata should be saved.
+		$email = get_post_meta( $submission->ID, '_feedback_email', true );
+		$this->assertStringNotContainsString( 'IP Address', $email['message'] );
+		remove_all_filters( 'jetpack_contact_form_forget_ip_address' );
+	}
+
 	/**
 	 * Tests that the submission as a whole will produce something in the
 	 * database when some labels are provided.