Home>

I'm building a subscription system with stripe, and now I'm making an application form.
I am in trouble because $email is not assigned to the script.

Do you need any special way to assign to script?

Thank you for teaching me.

function pay_test () {
    require_once ('/home/users/1/main.jp-418544100b38ce51/web/hogehoge/wp-load.php');
    global $current_user;
    get_currentuserinfo ();
    $email = $current_user->user_email. "\ n";
    var_dump ($email);
    echo "$email";
    echo '
        <form action = "https://hogehoge.com/wp-content/themes/ALC/paysystem/checkout.php" method = "POST">
            <script src = "https://checkout.stripe.com/checkout.js"
                
                data-key = "pk_test_hogehoge"
                data-amount = "903"
                data-name = "Hagehoge Plan"
                data-description = "Hogehoge Support, Hogehoge Agent"
                data-image = "https://stripe.com/img/documentation/checkout/marketplace.png"
                data-locale = "auto"
                data-currency = "jpy"
                data-zip-code = "false"
                data-allow-remember-me = "false"
                data-email = "'. $email.'"
                data-label = "Apply">
            </script>
        </form>';
    }
add_shortcode ('pay_test', 'pay_test');


data-email ="[email protected]"
If it is, the email address will be firmly fixed on the stripe form,

If i make the variable as above, you can enter the email address freely, the same as when there is no data-email ="" ;.

Experimental

function pay_test () {
    require_once ('/home/users/1/main.jp-418544100b38ce51/web/hogehoge/wp-load.php');
    global $current_user;
    get_currentuserinfo ();
    $email = $current_user->user_email. "\ n";
    var_dump ($email);
    echo "$email";
    $label = 'Do not apply';
    echo '
        <form action = "https://familialiber.com/wp-content/themes/ALC/paysystem/checkout.php" method = "POST">
            <script src = "https://checkout.stripe.com/checkout.js"
                
                data-key = "pk_test_4yIXhjDfhtNf2LHWnMIcVIYH"
                data-amount = "903"
                data-name = "Economy Plan"
                data-description = "Chat Support/Video Editing Agency"
                data-image = "https://stripe.com/img/documentation/checkout/marketplace.png"
                data-locale = "auto"
                data-currency = "jpy"
                data-zip-code = "false"
                data-allow-remember-me = "false"
                data-email = "'. $email.'"
                data-label = "'. $label.'">
            </script>
        </form>
        ';
    }
add_shortcode ('pay_test', 'pay_test');

When I tried this way, the variable was firmly assigned to the $label part. $email is not substituted. Mystery is.

  • Answer # 1

    It is said that it has been resolved, but I am concerned about the vulnerability, so I will comment.
    If you do not escape with htmlspecialchars etc. when outputting $email, it will be a cross-site scripting vulnerability.
    There may be validation as an email address, but the following attack string is valid as an email address and JavaScript is activated.

    "><script>alert (1)</script>" @ example.com

  • Answer # 2

    "\ n"