Add opt-in to prevent POST forms from being converted to amp-form (with action-xhr)

[westonruter]

Summary

See #6443.

One of the very frequent issues encountered by users of the AMP plugin is POST form submissions not behaving properly. In fact, we have a support page all about handling form submissions. The issue is that AMP requires POST forms to be submitted over XHR rather than a traditional page navigation, but this breaks if the endpoint sends back a Location header to redirect or if the endpoint is on another host that doesn't send CORS headers. There is a feature request to allow non-XHR POST forms in AMP (ampproject/amphtml#27638), but for now we should allow an opt-in to prevent conversion of such POST forms and to omit the amp-form component. This amp-form component must be excluded or else it will intercept any submissions on POST forms to block them and show an error message.

To opt-in to traditional non-XHR POST forms, do the following:

add_filter( 'amp_native_post_form_allowed', '__return_true' );

When this is done, page that have such a form will now emit a new validation error: FORM_HAS_POST_METHOD. When the user marks this validation error as kept, then:

1. Conversion of the form is skipped.
2. The data-ampdevmode attribute is added to the form element and the html root element (to prevent removal).
3. The amp-form component script is omitted from the page.

A user may decide to opt-in to preventing any such POST form from being converted by default via the following code:

add_filter(
	'amp_validation_error_default_sanitized',
	static function ( $sanitized, $error ) {
		if ( isset( $error['code'] ) && 'FORM_HAS_POST_METHOD_WITHOUT_ACTION_XHR_ATTR' === $error['code'] ) {
			$sanitized = false;
		}
		return $sanitized;
	},
	10,
	2
);

Checklist

• My code is tested and passes existing tests.
• My code follows the Engineering Guidelines (updates are often made to the guidelines, check it out periodically).

[github-actions]

Plugin builds for ef4653e are ready 🛎️!

• Download development build
• Download production build

[pierlon]

Noticed a bug while testing this; given the HTML:

<form method="get" action-xhr="https://example.com"></form>

It will be sanitized to become:

<form method="get" action-xhr="https://example.com" action="//amp-dev.test/test-6527/?amp=1" target="_top" rel="amphtml" novalidate="" class="i-amphtml-form"><input name="amp" value="1" type="hidden"></form>

The action attribute should not be in the output.

[pierlon]

When the amp_allowing_native_post_forms filter returns true and given the markup:

<form method="post" action-xhr="https://example.com"></form>

Marking the validation error for that markup to "Kept" produces:

<form method="post" action-xhr="https://example.com" data-ampdevmode="" novalidate="" class="i-amphtml-form"></form>

Should the action-xhr attribute instead be attribute, or is it on the user for using action-xhr?

[pierlon]

Any reason for using allowing instead of allow (or allows)? Just wondering since we don't have any hooks that use present participle verbs, AFAIK.

[westonruter]

There's amp_using_native_img 😄

If you think the filters make more sense as amp_use_native_img and amp_allow_native_form then that I'm happy with that.

[westonruter]

I had gone with singular for img since imgs looks bad.

[westonruter]

But then what about the function names?

[pierlon]

If you think the filters make more sense as amp_use_native_img and amp_allow_native_form then that I'm happy with that.

I was only concerned with it as it doesn't follow the usual naming conventions we use for our hooks, but either naming works for me 😄.

But then what about the function names?

They can stay if we're keeping the hook names.

[westonruter]

What about:

Function	Filter
amp_is_native_img_used()	amp_native_img_used
amp_is_native_post_form_allowed()	amp_native_post_form_allowed

[pierlon]

I'm on board with that.

[pierlon]

Would the value of @method be case sensitive here?

[westonruter]

Good catch. Fixed in dfb5223.

[westonruter]

Noticed a bug while testing this; given the HTML:

<form method="get" action-xhr="https://example.com"></form>

It will be sanitized to become:

<form method="get" action-xhr="https://example.com" action="//amp-dev.test/test-6527/?amp=1" target="_top" rel="amphtml" novalidate="" class="i-amphtml-form"><input name="amp" value="1" type="hidden"></form>

The action attribute should not be in the output.

That's tricky. It turns out in the case of a get form, it's the action attribute that's required and not the action-xhr. You can provide both, but the action-xhr is optional.

See the above is valid (playground):

Attempting to omit the action attribute results in an error:

[pierlon]

I see, that makes sense. The docs also confirm using both action and action-xhr for GET requests:

This attribute is required for method=POST, and is optional for method=GET.

The value for action-xhr can be the same or a different endpoint than action and has the same action requirements above.

[westonruter]

When the amp_allowing_native_post_forms filter returns true and given the markup:

<form method="post" action-xhr="https://example.com"></form>

Marking the validation error for that markup to "Kept" produces:

<form method="post" action-xhr="https://example.com" data-ampdevmode="" novalidate="" class="i-amphtml-form"></form>

Should the action-xhr attribute instead be attribute, or is it on the user for using action-xhr?

Oops. Yeah, POST forms with action-xhr should be skipped. I believe this is fixed as of a017973.

[pierlon]

LGTM

[pierlon]

Oh wait there seems to be some failing PHP tests.

[pierlon]

Oh wait there seems to be some failing PHP tests.

The failing test highlighted a bug in Core. The issue resides in this block of code, where there is no check to verify $res is not a WP_Error before operating on it, which is why the tests throw the error:

Undefined property: WP_Error::$themes

[westonruter]

Right, so it's a network issue.

[pierlon]

The failing test highlighted a bug in Core...

Created WordPress/wordpress-develop#1571 to fix the issue and it was just recently merged.

[milindmore22]

QA Passed

Input for Post method

<form method="post" action-xhr="https://example.com"></form>

Output for post method

<form method="post" action-xhr="https://example.com" target="_top" novalidate="" class="i-amphtml-form"></form>

---

Input for Get Method

<form method="get" action-xhr="https://example.com"></form>

Output for Post method

<form method="get" action-xhr="https://example.com" action="//amp-local.test/form-test/amp/" target="_top" novalidate="" class="i-amphtml-form"></form>