Updates to 2.9.21

Author: Gravity Forms

assets/js/dist/assets.php

@@ -1 +1 @@
-<?php return array('hash_map' => array('admin-components.min.js' => array('version' => '268f6a3dd9b4cf0082f7980aa8ef906f', 'file' => 'admin-components.min.js'), 'libraries.min.js' => array('version' => 'ed8a7666c544ac15b91ded2ef2fd658f', 'file' => 'libraries.min.js'), 'react-utils.min.js' => array('version' => 'b096083749e2c3fabb85622059bcee22', 'file' => 'react-utils.min.js'), 'scripts-admin.min.js' => array('version' => '9c27ff1c929fe1b5784f1ed05be8a186', 'file' => 'scripts-admin.min.js'), 'scripts-theme.min.js' => array('version' => '8fa5e6390c795318e567cd2b080e169b', 'file' => 'scripts-theme.min.js'), 'utils.min.js' => array('version' => '380b7a5ec0757c78876bc8a59488f2f3', 'file' => 'utils.min.js'), 'vendor-admin.min.js' => array('version' => '7d3d04c83df035485594e5913fdd0c4f', 'file' => 'vendor-admin.min.js'), 'vendor-theme.min.js' => array('version' => '21e5a4db1670166692ac5745329bfc80', 'file' => 'vendor-theme.min.js')));
+<?php return array('hash_map' => array('admin-components.min.js' => array('version' => '268f6a3dd9b4cf0082f7980aa8ef906f', 'file' => 'admin-components.min.js'), 'libraries.min.js' => array('version' => 'ed8a7666c544ac15b91ded2ef2fd658f', 'file' => 'libraries.min.js'), 'react-utils.min.js' => array('version' => 'b096083749e2c3fabb85622059bcee22', 'file' => 'react-utils.min.js'), 'scripts-admin.min.js' => array('version' => '9c27ff1c929fe1b5784f1ed05be8a186', 'file' => 'scripts-admin.min.js'), 'scripts-theme.min.js' => array('version' => 'ea8a466a3fdf642558f016efd46a6aff', 'file' => 'scripts-theme.min.js'), 'utils.min.js' => array('version' => '380b7a5ec0757c78876bc8a59488f2f3', 'file' => 'utils.min.js'), 'vendor-admin.min.js' => array('version' => '7d3d04c83df035485594e5913fdd0c4f', 'file' => 'vendor-admin.min.js'), 'vendor-theme.min.js' => array('version' => '8673c9a2ff188de55f9073009ba56f5e', 'file' => 'vendor-theme.min.js')));

assets/js/dist/scripts-theme.min.asset.php

@@ -1 +1 @@
-<?php return array('dependencies' => array('gform_gravityforms_utils', 'jquery', 'wp-polyfill'), 'version' => 'f7234e01fc1987efd5bd');
+<?php return array('dependencies' => array('gform_gravityforms_utils', 'jquery', 'wp-polyfill'), 'version' => '7bcd744b0d6fe5aee7fe');

assets/js/dist/scripts-theme.min.js

@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => 'f48a53be353699fb345e');
+<?php return array('dependencies' => array(), 'version' => 'fd4eff9dd235326c1ae7');

assets/js/dist/vendor-theme.min.asset.php

@@ -1,3 +1,12 @@
+### 2.9.21 | 2025-10-29
+- Added security enhancements.
+- Added a new setting to the Honeypot Field to check the time it takes to submit a form and mark the form as spam if the submission is too fast.
+- Updated account/license links to point to the new Gravity account site at [https://account.gravity.com/](https://account.gravity.com/).
+- Fixed Mailchimp capitalization in Survey Form template and elsewhere.
+- Fixed an issue that can cause the `gform_update_feed_active` action hook to fail if the hooked action calls $wpdb.
+- Fixed an issue where a page with multiple forms including file upload fields will retain and display submitted files from differing forms.
+- Fixed an issue with the timing of the multi-file upload handler sending the headers that prevents the Chained Selects field CSV upload completing.
+
 ### 2.9.20 | 2025-10-16
 - Added several performance improvements to the form editor by running large queries asynchronously.
 - Added support for feed conditional logic based on payment status.
@@ -3193,7 +3202,7 @@ Description Filter which checks whether the operator is valid. Allows …)* filt
 - AF: Added handling of the date_created merge tag to the get_field_value function for instances where this function is used before the entry has been created.
 - AF: Added ability to set a limit on the number of fields that may be added for fields of type dynamic_field_map.
 - AF: Added support for displaying validation errors set for fields created as type dynamic_field_map.
-- AF: Change "get_field_value" to use "get_full_name" and "get_full_address" functions to prevent access level conflict with MailChimp Add-On.
+- AF: Change "get_field_value" to use "get_full_name" and "get_full_address" functions to prevent access level conflict with Mailchimp Add-On.
 - AF: Fixed a bug where an error would be thrown if the function plugin_settings_page was not included in the add-on.
 - AF: Added the ability to exclude certain field types from field mapping in the get_field_map_choices function.
 - AF: Added "get_field_value" helper function to get value of a selected field.
@@ -4405,7 +4414,7 @@ Description Use this filter to prevent the thousand separator being …)* filter
 - AF: Added support for labels, tooltips and default values to text and textarea settings.
 - AF: Added support for tooltips in checkbox choices.
 - AF: Added settings_radio().
-- AF: Moved some MailChimp specific functions back into MailChimp.
+- AF: Moved some Mailchimp specific functions back into Mailchimp.
 - Fixed issue with admin_title filter return false instead of original title when not on form settings page.
 
 

assets/js/dist/vendor-theme.min.js

@@ -1856,6 +1856,13 @@ public static function gform_footer( $form, $class, $ajax, $field_values, $previ
 		$unique_id      = isset( self::$submission[ $form_id ] ) && rgar( self::$submission[ $form_id ], 'resuming_incomplete_submission' ) == true ? rgar( GFFormsModel::$unique_ids, $form_id ) : GFFormsModel::get_form_unique_id( $form_id );
 		$style_settings = $is_valid_json ? esc_attr( $style_settings ) : '';
 
+		/** @var Honeypot\GF_Honeypot_Handler $honeypot_handler */
+		$honeypot_handler = GFForms::get_service_container()->get( Honeypot\GF_Honeypot_Service_Provider::GF_HONEYPOT_HANDLER );
+
+		if ( $honeypot_handler->is_speed_check_enabled( $form ) ) {
+			$footer .= "<input type='hidden' class='gform_hidden' name='gform_submission_speeds' value='" . esc_attr( $honeypot_handler->get_submission_speeds_json( $form_id ) ) . "' />";
+		}
+
 		$footer .= "
             <input type='hidden' class='gform_hidden' name='gform_submission_method' data-js='gform_submission_method_{$form_id}' value='" . self::get_submission_method( $submission_method ) . "' />
             <input type='hidden' class='gform_hidden' name='gform_theme' data-js='gform_theme_{$form_id}' id='gform_theme_{$form_id}' value='" . esc_attr( $theme ) . "' />

change_log.txt

@@ -97,7 +97,8 @@ public static function form_settings_ui() {
 	 * Prepare form settings fields.
 	 *
 	 * @since 2.5
-	 * @since 2.9.8 Updated honeypotAction default to spam.
+	 * @since 2.9.8  Updated honeypotAction default to spam.
+	 * @since 2.9.21 Moved the honeypot fields to a new spam section and added submission speed check fields.
 	 *
 	 * @param array $form Form being edited.
 	 *
@@ -106,8 +107,8 @@ public static function form_settings_ui() {
 	public static function form_settings_fields( $form ) {
 
 		// Handles the deprecation notice for the confirmation ready classes in the CSS class field of form settings.
-		$deprecated_confirmation_classes_field_notice = function( $value, $field ) use ( $form ) {
-			if ( GFCommon::is_legacy_markup_enabled_og( $form ) ){
+		$deprecated_confirmation_classes_field_notice = function ( $value, $field ) use ( $form ) {
+			if ( GFCommon::is_legacy_markup_enabled_og( $form ) ) {
 				return false;
 			}
 
@@ -135,7 +136,7 @@ public static function form_settings_fields( $form ) {
 		};
 
 		$fields = array(
-			'form_basics' => array(
+			'form_basics'       => array(
 				'title'  => esc_html__( 'Form Basics', 'gravityforms' ),
 				'fields' => array(
 					array(
@@ -144,11 +145,12 @@ public static function form_settings_fields( $form ) {
 						'label'               => esc_html__( 'Form Title', 'gravityforms' ),
 						'tooltip'             => gform_tooltip( 'form_title', '', true ),
 						'required'            => true,
-						'validation_callback' => function( $field, $value ) use ( $form ) {
+						'validation_callback' => function ( $field, $value ) use ( $form ) {
 
 							// If value is empty, set error.
 							if ( rgblank( $value ) ) {
 								$field->set_error( rgobj( $field, 'error_message' ) );
+
 								return;
 							}
 
@@ -187,7 +189,7 @@ public static function form_settings_fields( $form ) {
 					),
 				),
 			),
-			'form_layout' => array(
+			'form_layout'       => array(
 				'title'  => esc_html__( 'Form Layout', 'gravityforms' ),
 				'fields' => array(
 					array(
@@ -305,8 +307,8 @@ public static function form_settings_fields( $form ) {
 						'label'         => esc_html__( 'Custom Required Indicator', 'gravityforms' ),
 						'default_value' => esc_html__( '(Required)', 'gravityforms' ),
 						'dependency'    => array(
-							'live'      => true,
-							'fields'    => array(
+							'live'   => true,
+							'fields' => array(
 								array(
 									'field'  => 'requiredIndicator',
 									'values' => array( 'custom' ),
@@ -323,7 +325,7 @@ public static function form_settings_fields( $form ) {
 					),
 				),
 			),
-			'form_button' => array(
+			'form_button'       => array(
 				'title'  => esc_html__( 'Form Button', 'gravityforms' ),
 				'fields' => array(
 					array(
@@ -362,7 +364,7 @@ public static function form_settings_fields( $form ) {
 					),
 				),
 			),
-			'restrictions' => array(
+			'restrictions'      => array(
 				'title'  => esc_html__( 'Restrictions', 'gravityforms' ),
 				'fields' => array(
 					array(
@@ -537,13 +539,13 @@ public static function form_settings_fields( $form ) {
 					),
 				),
 			),
-			'form_options' => array(
-				'title'  => esc_html__( 'Form Options', 'gravityforms' ),
+			'spam'              => array(
+				'title'  => esc_html__( 'Spam Detection', 'gravityforms' ),
 				'fields' => array(
 					array(
 						'name'    => 'enableHoneypot',
 						'type'    => 'toggle',
-						'label'   => esc_html__( 'Anti-spam honeypot', 'gravityforms' ),
+						'label'   => esc_html__( 'Honeypot', 'gravityforms' ),
 						'tooltip' => gform_tooltip( 'form_honeypot', '', true ),
 					),
 					array(
@@ -571,6 +573,78 @@ public static function form_settings_fields( $form ) {
 							),
 						),
 					),
+					array(
+						'name'          => 'enableSubmitSpeedCheck',
+						'type'          => 'toggle',
+						'label'         => esc_html__( 'Submission Speed Check', 'gravityforms' ),
+						'description'   => esc_html__( 'Flags the submission as spam if the elapsed time between page load and form submission is less than the threshold.', 'gravityforms' ),
+						'default_value' => false,
+						'dependency'    => array(
+							'live'   => true,
+							'fields' => array(
+								array(
+									'field' => 'enableHoneypot',
+								),
+							),
+						),
+					),
+					array(
+						'name'                => 'submitSpeedCheckThreshold',
+						'type'                => 'text',
+						'input_type'          => 'number',
+						'min'                 => 1,
+						'default_value'       => 2000,
+						'label'               => esc_html__( 'Submission Speed Check: Threshold (milliseconds)', 'gravityforms' ),
+						'dependency'          => array(
+							'live'   => true,
+							'fields' => array(
+								array(
+									'field' => 'enableHoneypot',
+								),
+								array(
+									'field' => 'enableSubmitSpeedCheck',
+								),
+							),
+						),
+						'validation_callback' => function ( $field, $value ) {
+							if ( ! ctype_digit( $value ) || (int) $value < 1 ) {
+								$field->set_error( esc_html__( 'Please enter a valid number greater than zero.', 'gravityforms' ) );
+							}
+						},
+					),
+					array(
+						'name'          => 'submitSpeedCheckMode',
+						'type'          => 'radio',
+						'default_value' => 'normal',
+						'label'         => esc_html__( 'Submission Speed Check: Mode', 'gravityforms' ),
+						'description'   => esc_html__( 'Submission speed is captured for each page of a multi-page form and for each submission attempt after a validation error. If there are multiple submission speeds for one submission, which mode should be used to evaluate the submission?', 'gravityforms' ),
+						'dependency'    => array(
+							'live'   => true,
+							'fields' => array(
+								array(
+									'field' => 'enableHoneypot',
+								),
+								array(
+									'field' => 'enableSubmitSpeedCheck',
+								),
+							),
+						),
+						'choices'       => array(
+							array(
+								'label' => esc_html__( 'Normal: at least one speed must be above the threshold.', 'gravityforms' ),
+								'value' => 'normal',
+							),
+							array(
+								'label' => esc_html__( 'Strict: all speeds must be above the threshold.', 'gravityforms' ),
+								'value' => 'strict',
+							),
+						),
+					),
+				),
+			),
+			'form_options'      => array(
+				'title'  => esc_html__( 'Form Options', 'gravityforms' ),
+				'fields' => array(
 					array(
 						'name'    => 'enableAnimation',
 						'type'    => 'toggle',
@@ -795,7 +869,8 @@ public static function deprecated_classes_warning( $form ) {
 	 * Initialize Plugin Settings fields renderer.
 	 *
 	 * @since 2.5
-	 * @since 2.9.8 Updated honeypotAction default to spam.
+	 * @since 2.9.8  Updated honeypotAction default to spam.
+	 * @since 2.9.21 Updated to save the submission speed check fields.
 	 */
 	public static function initialize_settings_renderer() {
 
@@ -859,9 +934,27 @@ public static function initialize_settings_renderer() {
 					$form['schedulePendingMessage'] = rgar( $values, 'schedulePendingMessage' );
 					$form['scheduleMessage']        = rgar( $values, 'scheduleMessage' );
 
-					// Form Options
-					$form['enableHoneypot']  = (bool) rgar( $values, 'enableHoneypot' );
-					$form['honeypotAction']  = GFCommon::whitelist( rgar( $values, 'honeypotAction' ), array( 'spam', 'abort' ) );
+					// Spam Detection.
+					$form['enableHoneypot'] = (bool) rgar( $values, 'enableHoneypot' );
+					$form['honeypotAction'] = GFCommon::whitelist(
+						rgar( $values, 'honeypotAction' ),
+						array(
+							'spam',
+							'abort',
+						)
+					);
+
+					$form['enableSubmitSpeedCheck']    = (bool) rgar( $values, 'enableSubmitSpeedCheck' );
+					$form['submitSpeedCheckThreshold'] = absint( rgar( $values, 'submitSpeedCheckThreshold' ) );
+					$form['submitSpeedCheckMode']      = GFCommon::whitelist(
+						rgar( $values, 'submitSpeedCheckMode' ),
+						array(
+							'normal',
+							'strict',
+						)
+					);
+
+					// Form Options.
 					$form['enableAnimation'] = (bool) rgar( $values, 'enableAnimation' );
 					$form['markupVersion']   = rgar( $values, 'markupVersion' ) ? 1 : 2;
 

form_display.php

@@ -5487,7 +5487,14 @@ private static function copy_post_image( $url, $post_id ) {
 
 		// the source path
 		$upload_root_info = GF_Field_FileUpload::get_upload_root_info( $form_id );
-		$path             = str_replace( $upload_root_info['url'], $upload_root_info['path'], $url );
+		if ( ! str_starts_with( $url, $upload_root_info['url'] ) ) {
+			return false;
+		}
+
+		$path = str_replace( $upload_root_info['url'], $upload_root_info['path'], $url );
+		if ( ! file_exists( $path ) ) {
+			return false;
+		}
 
 		// copy the file to the destination path
 		if ( ! copy( $path, $new_file ) ) {

form_settings.php

@@ -3,7 +3,7 @@
 Plugin Name: Gravity Forms
 Plugin URI: https://gravityforms.com
 Description: Easily create web forms and manage form entries within the WordPress admin.
-Version: 2.9.20
+Version: 2.9.21
 Requires at least: 6.5
 Requires PHP: 7.4
 Author: Gravity Forms
@@ -257,7 +257,7 @@ class GFForms {
 	 *
 	 * @var string $version The version number.
 	 */
-	public static $version = '2.9.20';
+	public static $version = '2.9.21';
 
 	/**
 	 * Handles background upgrade tasks.
@@ -2698,7 +2698,7 @@ public static function get_status_messages( $plugin_name, $plugin_data, $slug =
 							/* translators: %1$s Plugin name %2$s and %3$s are link tag markup */
 							__( 'The %1$s is not available with the configured license; please visit the %2$sGravity Forms website%3$s to verify your license. ', 'gravityforms' ),
 								esc_html( rgar( $plugin_data, 'Name' ) ),
-								'<a href="https://www.gravityforms.com/my-account/licenses/?utm_source=gf-admin&utm_medium=purchase-link&utm_campaign=license-enforcement" target="_blank">',
+								'<a href="https://account.gravity.com/?utm_source=gf-admin&utm_medium=purchase-link&utm_campaign=license-enforcement" target="_blank">',
 								'<span class="screen-reader-text">' . esc_html__( '(opens in a new tab)', 'gravityforms' ) . '</span>&nbsp;<span class="gform-icon gform-icon--external-link" aria-hidden="true"></span></a>'
 							);
 			}