Forms: Carry is_test via signed JWT source; a11y + unread-count polish

Follow-ups from review feedback on #48057:

- Replace the hidden-field + nonce injection in form preview rendering
  with a flag baked into the signed JWT. Feedback_Source::get_current()
  now reads Form_Preview::is_preview_mode() at render time and records
  is_test=true on the source, which travels tamper-proof inside the
  JWT to submission. JWTs issued before this change omit the flag and
  continue to behave as regular submissions.
- Remove the now-unused inject_preview_submission_fields() helper,
  verify_preview_submission() helper, and the three PREVIEW_SUBMIT_*
  constants from Form_Preview.
- Drop the test-feedback special case in Feedback::save(); test
  responses are now created as STATUS_UNREAD like any other response
  so they contribute to the unread count.
- Add aria-label="Test response" to the inline Test badge in the
  dashboard From column so screen readers get a complete label.
- Add two PHPUnit round-trip tests covering the JWT backward-compat
  contract: a JWT issued in preview mode marks the decoded form as
  a test submission; a JWT issued outside preview mode (or from a
  cached HTML fragment predating this feature) decodes to a regular
  submission.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: enejb

projects/packages/forms/routes/responses/stage.tsx

@@ -466,7 +466,12 @@ function StageInner() {
 								<Stack direction="column" gap="2xs">
 									<Stack direction="row" align="center" gap="xs">
 										{ item.is_test && (
-											<Badge intent="informational">{ __( 'Test', 'jetpack-forms' ) }</Badge>
+											<Badge
+												intent="informational"
+												aria-label={ __( 'Test response', 'jetpack-forms' ) }
+											>
+												{ __( 'Test', 'jetpack-forms' ) }
+											</Badge>
 										) }
 										<Text ellipsizeMode="tail" limit={ 50 } truncate>
 											{ displayName }

projects/packages/forms/src/contact-form/class-contact-form-plugin.php

@@ -1620,24 +1620,6 @@ public function process_form_submission() {
 			return Form_Submission_Error::system_error( 'invalid_form_id_or_hash', __( 'Invalid form ID or hash.', 'jetpack-forms' ) );
 		}
 
-		// Detect and authorize submissions coming from form preview. When a preview
-		// submission is detected we let it flow through the normal pipeline but
-		// flag the resulting feedback as a test response.
-		$is_preview_submission = false;
-		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- the nonce is verified inside verify_preview_submission().
-		if ( ! empty( $_POST[ Form_Preview::PREVIEW_SUBMIT_FIELD ] ) ) {
-			$preview_form_id = is_numeric( $id ) ? (int) $id : 0;
-			if ( $preview_form_id > 0 && Form_Preview::verify_preview_submission( $preview_form_id ) ) {
-				$is_preview_submission = true;
-			} else {
-				// Preview flag was present but nonce/caps did not check out. Reject.
-				return Form_Submission_Error::system_error(
-					'invalid_preview_submission',
-					__( 'Invalid form preview submission.', 'jetpack-forms' )
-				);
-			}
-		}
-
 		if ( is_user_logged_in() ) {
 			check_admin_referer( "contact-form_{$id}" );
 		}
@@ -1734,9 +1716,14 @@ public function process_form_submission() {
 			if ( Jetpack_Forms::is_webhooks_enabled() && ! empty( $form->attributes['webhooks'] ) ) {
 				Form_Webhooks::init();
 			}
-			// Flag the submission as originating from a form preview so the form
-			// treats the resulting feedback as a test response.
-			$form->set_is_preview_submission( $is_preview_submission );
+
+			// The decoded JWT carries a serialized Feedback_Source; when the
+			// form was rendered in preview mode that source has is_test=true.
+			// Flag the submission accordingly so the response is stored as a
+			// test response. JWTs issued before this feature shipped simply
+			// omit the flag and behave as regular submissions.
+			$form->set_is_preview_submission( $form->get_source()->is_test() );
+
 			// Process the form
 			return $form->process_submission();
 		}
@@ -1925,10 +1912,6 @@ public function process_form_submission() {
 			Form_Webhooks::init();
 		}
 
-		// Flag the submission as originating from a form preview so the form
-		// treats the resulting feedback as a test response.
-		$form->set_is_preview_submission( $is_preview_submission );
-
 		// Process the form
 		return $form->process_submission();
 	}

projects/packages/forms/src/contact-form/class-feedback-source.php

@@ -177,20 +177,27 @@ private static function get_source_title() {
 	public static function get_current( $attributes ) {
 		global $wp, $page;
 		$current_url = home_url( add_query_arg( array(), $wp->request ) );
+
+		// When a form is rendered inside the server-side preview
+		// (Form_Preview::maybe_render_preview), flag the source as a test
+		// submission. The flag travels with the signed JWT and is read back
+		// at submission time to branch the response into the test pipeline.
+		$is_test = Form_Preview::is_preview_mode();
+
 		if ( isset( $attributes['widget'] ) && ! empty( $attributes['widget'] ) ) {
-			return new self( $attributes['widget'], self::get_source_title(), 1, 'widget', $current_url );
+			return new self( $attributes['widget'], self::get_source_title(), 1, 'widget', $current_url, $is_test );
 		}
 
 		if ( isset( $attributes['block_template'] ) && ! empty( $attributes['block_template'] ) ) {
 			global $_wp_current_template_id;
-			return new self( $_wp_current_template_id, self::get_source_title(), $page, 'block_template', $current_url );
+			return new self( $_wp_current_template_id, self::get_source_title(), $page, 'block_template', $current_url, $is_test );
 		}
 
 		if ( isset( $attributes['block_template_part'] ) && ! empty( $attributes['block_template_part'] ) ) {
-			return new self( $attributes['block_template_part'], self::get_source_title(), $page, 'block_template_part', $current_url );
+			return new self( $attributes['block_template_part'], self::get_source_title(), $page, 'block_template_part', $current_url, $is_test );
 		}
 
-		return new Feedback_Source( \get_the_ID(), \get_the_title(), $page, 'single', $current_url );
+		return new Feedback_Source( \get_the_ID(), \get_the_title(), $page, 'single', $current_url, $is_test );
 	}
 
 	/**

projects/packages/forms/src/contact-form/class-feedback.php

@@ -1482,11 +1482,6 @@ public function mark_as_test() {
 	 * @return int
 	 */
 	public function save() {
-		// Test feedback (from form preview) is created as already-read so it does
-		// not bump the unread counter in the dashboard — the form owner explicitly
-		// triggered it and doesn't need to be notified of "new" responses.
-		$comment_status = $this->is_test() ? self::STATUS_READ : self::STATUS_UNREAD;
-
 		$post_id = wp_insert_post(
 			array(
 				'post_type'      => self::POST_TYPE,
@@ -1497,7 +1492,7 @@ public function save() {
 				'post_content'   => $this->serialize(), // In V3 we started to addslashes.
 				'post_mime_type' => 'v3', // a way to help us identify what version of the data this is.
 				'post_parent'    => $this->form_id ?? $this->source->get_id(),
-				'comment_status' => $comment_status,
+				'comment_status' => self::STATUS_UNREAD, // New feedback is unread by default.
 			)
 		);
 

projects/packages/forms/src/contact-form/class-form-preview.php

@@ -23,28 +23,6 @@ class Form_Preview {
 	 */
 	const PREVIEW_NONCE_ACTION = 'jetpack_form_preview_';
 
-	/**
-	 * The nonce action prefix used to authenticate POST submissions
-	 * originating from a form preview render.
-	 *
-	 * @var string
-	 */
-	const PREVIEW_SUBMIT_NONCE_ACTION = 'jetpack_form_preview_submit_';
-
-	/**
-	 * POST field name used to flag a submission as originating from form preview.
-	 *
-	 * @var string
-	 */
-	const PREVIEW_SUBMIT_FIELD = 'is_jetpack_form_preview';
-
-	/**
-	 * POST field name carrying the preview submission nonce.
-	 *
-	 * @var string
-	 */
-	const PREVIEW_SUBMIT_NONCE_FIELD = 'jetpack_form_preview_nonce';
-
 	/**
 	 * The query variable for form preview.
 	 *
@@ -317,6 +295,12 @@ function ( $title, $id = null ) use ( $form, $form_id ) {
 	/**
 	 * Render the form preview content.
 	 *
+	 * The rendered markup flows through the normal block pipeline, which
+	 * embeds a signed JWT carrying the form's serialized source. Because
+	 * Feedback_Source::get_current() reads Form_Preview::is_preview_mode()
+	 * at render time, the JWT issued here travels to submission with
+	 * `is_test: true` baked into its source — no hidden nonce fields needed.
+	 *
 	 * @param WP_Post|null $form The form post.
 	 * @return string The rendered content.
 	 */
@@ -333,87 +317,14 @@ private static function render_form_preview_content( ?WP_Post $form ) {
 		$output .= '</div>';
 
 		// Parse and render the form blocks.
-		$blocks         = parse_blocks( $form->post_content );
-		$rendered_forms = '';
+		$blocks = parse_blocks( $form->post_content );
 		foreach ( $blocks as $block ) {
-			$rendered_forms .= render_block( $block );
+			$output .= render_block( $block );
 		}
 
-		// Inject the preview submission auth fields into every <form> in the rendered markup.
-		$output .= self::inject_preview_submission_fields( $rendered_forms, (int) $form->ID );
-
 		return $output;
 	}
 
-	/**
-	 * Inject hidden fields that authenticate the POST back to PHP as a preview submission.
-	 *
-	 * Adds a flag and a form-id-scoped nonce immediately before each `</form>` tag
-	 * in the given HTML. A leaked nonce only authorizes test submissions for the
-	 * specific form it was generated for.
-	 *
-	 * @param string $html    The rendered form HTML.
-	 * @param int    $form_id The form post ID the nonce should be scoped to.
-	 * @return string
-	 */
-	private static function inject_preview_submission_fields( $html, $form_id ) {
-		if ( empty( $html ) || $form_id <= 0 ) {
-			return $html;
-		}
-
-		$nonce = wp_create_nonce( self::PREVIEW_SUBMIT_NONCE_ACTION . $form_id );
-
-		$hidden_fields = sprintf(
-			'<input type="hidden" name="%1$s" value="1" /><input type="hidden" name="%2$s" value="%3$s" />',
-			esc_attr( self::PREVIEW_SUBMIT_FIELD ),
-			esc_attr( self::PREVIEW_SUBMIT_NONCE_FIELD ),
-			esc_attr( $nonce )
-		);
-
-		// Insert the hidden fields just before each closing </form> tag.
-		return preg_replace( '#</form>#i', $hidden_fields . '</form>', $html );
-	}
-
-	/**
-	 * Verify that the current POST request is an authenticated form preview submission.
-	 *
-	 * Requires the preview flag + nonce in POST, a logged-in user, and the user
-	 * to have `edit_post` capability on the form id whose nonce is presented.
-	 *
-	 * @param int $form_id The form post ID.
-	 * @return bool True when the submission is authorized to be marked as a test submission.
-	 */
-	public static function verify_preview_submission( $form_id ) {
-		// phpcs:disable WordPress.Security.NonceVerification.Missing -- this method IS the nonce verification.
-		if ( empty( $_POST[ self::PREVIEW_SUBMIT_FIELD ] ) ) {
-			return false;
-		}
-
-		$form_id = absint( $form_id );
-		if ( $form_id <= 0 ) {
-			return false;
-		}
-
-		if ( ! is_user_logged_in() ) {
-			return false;
-		}
-
-		if ( ! current_user_can( 'edit_post', $form_id ) ) {
-			return false;
-		}
-
-		$nonce = isset( $_POST[ self::PREVIEW_SUBMIT_NONCE_FIELD ] )
-			? sanitize_text_field( wp_unslash( $_POST[ self::PREVIEW_SUBMIT_NONCE_FIELD ] ) )
-			: '';
-
-		if ( ! wp_verify_nonce( $nonce, self::PREVIEW_SUBMIT_NONCE_ACTION . $form_id ) ) {
-			return false;
-		}
-
-		return true;
-		// phpcs:enable WordPress.Security.NonceVerification.Missing
-	}
-
 	/**
 	 * Enqueue preview styles.
 	 */
@@ -433,8 +344,6 @@ public static function enqueue_preview_styles() {
 	 * Add preview mode script variable.
 	 */
 	public static function add_preview_mode_script() {
-		wp_print_inline_script_tag(
-			'window.jetpackFormsPreviewMode = true; window.jetpackFormsPreviewAllowsSubmission = true;'
-		);
+		wp_print_inline_script_tag( 'window.jetpackFormsPreviewMode = true;' );
 	}
 }

projects/packages/forms/tests/php/contact-form/Contact_Form_Test.php

@@ -2700,6 +2700,94 @@ public function test_encode_form_to_jwt() {
 		Constants::clear_single_constant( 'JETPACK_BLOG_TOKEN' );
 	}
 
+	/**
+	 * A JWT issued while Form_Preview::is_preview_mode() is active carries
+	 * is_test=true inside its serialized source. After decode, the form's
+	 * source should report is_test() === true, which is how
+	 * process_form_submission() recognizes preview submissions.
+	 */
+	public function test_jwt_source_is_flagged_as_test_when_rendered_in_preview_mode() {
+		Constants::set_constant( 'JETPACK_BLOG_TOKEN', 'test.token' );
+
+		// Flip the Form_Preview static flag for the duration of this test so
+		// Feedback_Source::get_current() — invoked by get_jwt() — records the
+		// preview context in the serialized source.
+		$reflection   = new \ReflectionClass( Form_Preview::class );
+		$preview_flag = $reflection->getProperty( 'is_preview_mode' );
+		$preview_flag->setAccessible( true );
+		$previous_value = $preview_flag->getValue();
+		$preview_flag->setValue( null, true );
+
+		try {
+			$form = new Contact_Form(
+				array(
+					'to'      => 'preview@example.com',
+					'subject' => 'preview subject',
+				),
+				"[contact-field label='Name' type='name' required='1'/]"
+			);
+
+			$jwt = $form->get_jwt();
+
+			$decoded = Contact_Form::get_instance_from_jwt( $jwt );
+
+			$this->assertNotNull( $decoded, 'JWT should decode successfully.' );
+			$this->assertTrue(
+				$decoded->get_source()->is_test(),
+				'A JWT issued while preview mode was active should carry is_test=true in its source.'
+			);
+		} finally {
+			$preview_flag->setValue( null, $previous_value );
+			Constants::clear_single_constant( 'JETPACK_BLOG_TOKEN' );
+		}
+	}
+
+	/**
+	 * Backward compatibility: a JWT issued before this feature shipped (or
+	 * issued outside preview mode) has no is_test key in its source. After
+	 * decode, the form's source should report is_test() === false, so the
+	 * submission flows through the normal response pipeline. This matters
+	 * because JWTs can live in cached HTML fragments across page loads.
+	 */
+	public function test_jwt_without_is_test_in_source_is_not_a_preview_submission() {
+		Constants::set_constant( 'JETPACK_BLOG_TOKEN', 'test.token' );
+
+		$form = new Contact_Form(
+			array(
+				'to'      => 'normal@example.com',
+				'subject' => 'normal subject',
+			),
+			"[contact-field label='Name' type='name' required='1'/]"
+		);
+
+		$jwt = $form->get_jwt();
+
+		// Sanity-check the serialized JWT does not carry is_test. We read the
+		// unencrypted outer claims directly — implementation detail, but it
+		// documents the backward-compat contract.
+		$raw_parts       = explode( '.', $jwt );
+		$raw_payload     = $raw_parts[1] ?? '';
+		$decoded_json    = base64_decode( strtr( $raw_payload, '-_', '+/' ), true );
+		$decoded_payload = $decoded_json === false ? null : json_decode( $decoded_json, true );
+		$this->assertIsArray( $decoded_payload );
+		$this->assertArrayHasKey( 'source', $decoded_payload );
+		$this->assertArrayNotHasKey(
+			'is_test',
+			$decoded_payload['source'],
+			'Outside preview mode the source must not include an is_test key so old cached JWTs stay compatible.'
+		);
+
+		$decoded = Contact_Form::get_instance_from_jwt( $jwt );
+
+		$this->assertNotNull( $decoded );
+		$this->assertFalse(
+			$decoded->get_source()->is_test(),
+			'A JWT without is_test in its source must decode to a regular (non-test) submission.'
+		);
+
+		Constants::clear_single_constant( 'JETPACK_BLOG_TOKEN' );
+	}
+
 	public function test_get_instance_from_jwt_uses_default_secret_when_no_token_secret() {
 		// Ensure JETPACK_BLOG_TOKEN is not defined, so default secret is used
 		Constants::clear_single_constant( 'JETPACK_BLOG_TOKEN' );