marklchaves · May 11, 2026 13:35 · marklchaves · May 11, 2026
diff --git a/pum_inject_url_variable.php b/pum_inject_url_variable.php
 <?php
  /**
   * Popup Maker - Dynamic Variable Injection
   *
   * This snippet lets you reuse a single popup across many pages by passing
   * values from the page URL into the popup content at the moment it appears.
   *
   * --- HOW TO USE ---
   *
   * Step 1: In your popup content, add a placeholder like {{id}}
   *         Example: [my-shortcode id="{{id}}"]
   *
   * Step 2: On the page that opens the popup, add a query string to the URL
   *         Example: https://yoursite.com/page/?pum_vars[id]=123
   *
   * Step 3: When the popup opens, {{id}} is automatically replaced with 123
   *         Result: [my-shortcode id="123"]
   *
   * --- REFERENCE DOCS ---
   * Hooks reference:    https://github.com/PopupMaker/Popup-Maker/wiki/Popup-Maker-WordPress-Hooks
   * Custom PHP guide:   https://wppopupmaker.com/docs/getting-started-with-custom-code/getting-started-with-custom-php/
   */

  /**
   * Register our function to run just before Popup Maker outputs the popup content.
   * Priority 10 runs at normal order. The "2" means we want both the content AND the popup ID passed in.
   */
  add_filter( 'pum_popup_content', 'pum_inject_url_variable', 10, 2 );

  /**
   * Look through the popup content for {{placeholder}} tags and swap them
   * with values from the page URL.
   *
   * @param string $content  The raw popup content before it appears on screen.
   * @param int    $popup_id The ID number of this popup (available if you need it for logging, etc.)
   * @return string          The popup content with placeholders filled in.
   */
  function pum_inject_url_variable( $content, $popup_id ) {

      // Check if the URL contains ?pum_vars[...]=... and that it is a list of values (array).
      // If nothing was passed in the URL, return the content unchanged.
      // phpcs:ignore WordPress.Security.NonceVerification.Recommended
      $raw_vars = isset( $_GET['pum_vars'] ) && is_array( $_GET['pum_vars'] )
          ? $_GET['pum_vars']
          : [];

      if ( empty( $raw_vars ) ) {
          return $content;
      }

      // Clean each value from the URL to remove anything unexpected or unsafe.
      $vars = array_map( 'sanitize_text_field', $raw_vars );

      // Loop through each variable passed in the URL and swap its placeholder in the content.
      foreach ( $vars as $key => $value ) {

          // Clean the variable name (the part before the "=") so it only contains
          // letters, numbers, underscores, and dashes.
          $key = sanitize_key( $key );

          // Find {{key}} in the popup content and replace it with the cleaned value.
          $content = str_replace( '{{' . $key . '}}', esc_html( $value ), $content );
      }

      return $content;
  }

  /**
   * --- SECURITY NOTES ---
   *
   * Values in a URL can be changed by anyone, so we treat them as untrusted input.
   * Three layers of protection are applied:
   *
   * 1. sanitize_key( $key )
   *    Strips anything from the variable *name* that isn't a letter, number,
   *    dash, or underscore. Prevents someone from injecting a strange key.
   *
   * 2. sanitize_text_field( $value )
   *    Strips HTML tags and extra whitespace from each *value* coming from the URL.
   *    Prevents someone from slipping HTML or script tags into the popup via the URL.
   *
   * 3. esc_html( $value )
   *    Converts special characters (< > " & etc.) into safe HTML entities
   *    right before the value is placed into the popup content.
   *    This is the last line of defence against cross-site scripting (XSS).
   *
   * The phpcs:ignore comment on the $_GET line tells the code quality checker
   * that skipping nonce verification here is intentional — nonces are meant for
   * form submissions, not read-only display values like these.
   */
	<?php
	/**
	* Popup Maker - Dynamic Variable Injection
	*
	* This snippet lets you reuse a single popup across many pages by passing
	* values from the page URL into the popup content at the moment it appears.
	*
	* --- HOW TO USE ---
	*
	* Step 1: In your popup content, add a placeholder like {{id}}
	* Example: [my-shortcode id="{{id}}"]
	*
	* Step 2: On the page that opens the popup, add a query string to the URL
	* Example: https://yoursite.com/page/?pum_vars[id]=123
	*
	* Step 3: When the popup opens, {{id}} is automatically replaced with 123
	* Result: [my-shortcode id="123"]
	*
	* --- REFERENCE DOCS ---
	* Hooks reference: https://github.com/PopupMaker/Popup-Maker/wiki/Popup-Maker-WordPress-Hooks
	* Custom PHP guide: https://wppopupmaker.com/docs/getting-started-with-custom-code/getting-started-with-custom-php/
	*/

	/**
	* Register our function to run just before Popup Maker outputs the popup content.
	* Priority 10 runs at normal order. The "2" means we want both the content AND the popup ID passed in.
	*/
	add_filter( 'pum_popup_content', 'pum_inject_url_variable', 10, 2 );

	/**
	* Look through the popup content for {{placeholder}} tags and swap them
	* with values from the page URL.
	*
	* @param string $content The raw popup content before it appears on screen.
	* @param int $popup_id The ID number of this popup (available if you need it for logging, etc.)
	* @return string The popup content with placeholders filled in.
	*/
	function pum_inject_url_variable( $content, $popup_id ) {

	// Check if the URL contains ?pum_vars[...]=... and that it is a list of values (array).
	// If nothing was passed in the URL, return the content unchanged.
	// phpcs:ignore WordPress.Security.NonceVerification.Recommended
	$raw_vars = isset( $_GET['pum_vars'] ) && is_array( $_GET['pum_vars'] )
	? $_GET['pum_vars']
	: [];

	if ( empty( $raw_vars ) ) {
	return $content;
	}

	// Clean each value from the URL to remove anything unexpected or unsafe.
	$vars = array_map( 'sanitize_text_field', $raw_vars );

	// Loop through each variable passed in the URL and swap its placeholder in the content.
	foreach ( $vars as $key => $value ) {

	// Clean the variable name (the part before the "=") so it only contains
	// letters, numbers, underscores, and dashes.
	$key = sanitize_key( $key );

	// Find {{key}} in the popup content and replace it with the cleaned value.
	$content = str_replace( '{{' . $key . '}}', esc_html( $value ), $content );
	}

	return $content;
	}

	/**
	* --- SECURITY NOTES ---
	*
	* Values in a URL can be changed by anyone, so we treat them as untrusted input.
	* Three layers of protection are applied:
	*
	* 1. sanitize_key( $key )
	* Strips anything from the variable name that isn't a letter, number,
	* dash, or underscore. Prevents someone from injecting a strange key.
	*
	* 2. sanitize_text_field( $value )
	* Strips HTML tags and extra whitespace from each value coming from the URL.
	* Prevents someone from slipping HTML or script tags into the popup via the URL.
	*
	* 3. esc_html( $value )
	* Converts special characters (< > " & etc.) into safe HTML entities
	* right before the value is placed into the popup content.
	* This is the last line of defence against cross-site scripting (XSS).
	*
	* The phpcs:ignore comment on the $_GET line tells the code quality checker
	* that skipping nonce verification here is intentional — nonces are meant for
	* form submissions, not read-only display values like these.
	*/
No results found