Forms: Validate field type format in get_field_type_icon

[vianasw]

Fixes FORMS-656

Proposed changes

Contact_Form::get_field_type_icon() builds a filesystem path from the $field_type value before reading the corresponding icon.svg file. The helper trusted whatever the caller passed in, so a non-conforming $field_type could yield an unexpected file lookup. While the existing /icon.svg suffix on the path significantly limits any practical impact (only files literally named icon.svg can ever be read, and the standard set of those in WordPress are public block/plugin icons), the absence of input validation on a value that drives a filesystem call is still worth tightening as a hardening / code-quality improvement.

The fix is a strict format check at the top of the helper:

if ( ! is_string( $field_type ) || ! preg_match( '/^[a-z][a-z0-9-]*$/', $field_type ) ) {
    return '';
}

Valid types are non-empty strings of lowercase letters, digits, and hyphens, starting with a letter. Anything else returns the same empty string the helper already returns when an icon file is missing, so caller flow is unchanged for legitimate types.

Why a regex format check vs. a hardcoded allowlist:

• No filesystem I/O (vs. globbing blocks/field-* to build a runtime list)
• No maintenance burden (vs. a hardcoded list that needs updating every time a new field type is added)
• Catches the value at the boundary where it enters typed code, which is the right place to enforce a format invariant

Other information

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable?

Related product discussion/links

• N/A

Does this pull request change what data or activity we track or use?

No.

Testing instructions

1. Apply this branch and build the forms package.
2. Run the new tests:

   cd projects/packages/forms
   vendor/bin/phpunit -c phpunit.11.xml.dist tests/php/contact-form/Contact_Form_Test.php --filter='get_field_type_icon'
   

   Expect 21 passing tests covering both rejected formats (parent-path tokens, percent-encoded segments, backslashes, leading slash, null bytes, uppercase letters, leading digit, leading hyphen, whitespace, non-string types, empty string) and accepted formats (text, email, textarea, phone, telephone, radio, checkbox-multiple, image-select).
3. Manual sanity check: in a Forms-enabled WP install, edit a form block in the editor and verify icon rendering still works for the standard field types in the inserter and the success-summary view. The standard field types and their hyphenated exception-map entries (phone, telephone, radio, checkbox-multiple) should all render their icons identically to before.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the fix/forms-icon-field-type-validation branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack fix/forms-icon-field-type-validation

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[jp-launch-control]

Code Coverage Summary

Coverage changed in 1 file.

File	Coverage	Δ%	Δ Uncovered
projects/packages/forms/src/contact-form/class-contact-form.php	973/1528 (63.68%)	1.16%	-17 💚

Full summary · PHP report · JS report

[enejb]

Nice fix. The fix make sense to me :)