Forms and Validation

PressGang provides a structured form handling pipeline with built-in validation, CSRF protection, and error handling. No more tangled $_POST processing scattered across your theme — PressGang keeps your forms battened down and secure.

Architecture

Form submit → WordPress admin-post → FormSubmission::handle_form_submission()
                                        ├── Nonce verification
                                        ├── Input flashing
                                        ├── Validator pipeline
                                        ├── process_submission() (your logic)
                                        └── Redirect with status

FormSubmission (Base Class)

The abstract FormSubmission class handles the form lifecycle:

1. Nonce verification — rejects requests with invalid or missing nonces.

2. Input flashing — sanitises and stores submitted values in the session (via Flash), so forms can be repopulated after validation errors.

3. Validation — runs all configured validators and collects errors.

4. Processing — calls your process_submission() implementation on success.

5. Redirect — sends the user back to the referring page with success/error flags.

Creating a Form Handler

Extend FormSubmission and implement process_submission():

Initialising and Registering Hooks

Form handlers register themselves with WordPress via admin_post actions:

This registers handlers for both logged-in (admin_post_{action}) and logged-out (admin_post_nopriv_{action}) users.

Built-in: ContactSubmission

PressGang ships with a ContactSubmission class that handles contact form emails out of the box:

• Sends email via wp_mail() to the site admin.

• Supports optional Twig templates for email formatting.

• Configurable success/error messages.

• Filterable recipient via pressgang_contact_to_email.

• Filterable subject via pressgang_contact_subject.

Validators

Validators implement the ValidatorInterface:

The validate() method returns an empty array on success, or an array of error messages on failure.

Built-in Validators

Creating a Custom Validator

Form Template (Twig)

Your Twig form template must include a nonce field and target the admin_post endpoint:

Security

• Nonce validation is automatic — handled by FormSubmission::handle_form_submission().

• All input should be sanitised using sanitize_text_field(), sanitize_email(), etc.

• Validation logic must live in validators, not in controllers.

• Controllers may only consume validated data — they must never process form submissions directly.