PHP injection into the embed block not working?

Question
1

Hi all,

I have an embed on my Sparkle page, and I’m using PHP to inject the user’s email into the block:

<div data-tf-widget="LbSe5mu5" data-tf-opacity="0" data-tf-hide-headers data-tf-iframe-props="title=My Custom Plan" data-tf-hidden="email=<?php echo $email; ?>" style="width:100%;height:800px;"></div><script src="//embed.typeform.com/next/embed.js"></script>

It doesn’t seem to work correctly. I have it set up like this:

Any ideas?

2

Do you have a cookie banner on the site? The most likely issue is the “Activate after consent” checkbox, which causes the contained code to not be activated until the cookie banner is accepted.

In practice this transforms the code to prevent it from being interpreted immediately, and when the cookie is recognized the code is turned back into a working form.

However the transformed code is not recognized as PHP by the server, so the email address isn’t substituted there.

Or it might be a simpler issue of having used $email instead of $GET['email'] (though you shouldn’t do that without sanitizing the input first).

3

I don’t have a banner or activate-on-consent on this:

https://fluent-forever.com/go/my-custom-plan.php?email=chris%40test.com

You can see the blank injection in the email portion of the JS.

EDIT: Also you can see that the JS embed of Typeform works, but just not the PHP part.

Other thoughts?

4

You don’t see the PHP part because it’s processed on the server. If your code is literally <?php echo $email; ?> that doesn’t take a variable from the query string as you expect. You need at least <?php echo $GET['email']; ?> (but as mentioned don’t do this because it’s not sanitizing the input and is a security issue).

5

Ahhh I’m so dumb, I think you told me this years ago with a similar injection, thanks!

(Just need it for prototyping at the moment, I’ll let engineering figure out the sanitation. :wink: