Handle complex form fields when submitting checkout form

Our current way of handling the checkout form via ajax does not match the WC behavior which submits them in urlencoded request instead of JSON. When it is submitted as JSON object PHP does not parse it for $_POST etc., and we do not get its handling of arrays, breaking some plugin. Now submitting the form as an urlencoded string inside JSON and parsing via `parse_str` which seems to handle it the same as $_POST. The parsing is handled in `RequestData` to avoid duplicating it in multiple places and to keep our weird sanitization here. Not sure if it's a good idea to sanitize so early, but for now keeping it like this to avoid major refactoring or introducing new vulnerabilities.
2025-09-06 10:55:00 +08:00 · 2023-07-13 14:43:14 +03:00 · 2023-07-13 14:43:14 +03:00 · 639e8409c8
commit 639e8409c8
parent 81f6340897
3 changed files with 12 additions and 5 deletions
--- a/modules/ppcp-button/resources/js/modules/ActionHandler/CheckoutActionHandler.js
+++ b/modules/ppcp-button/resources/js/modules/ActionHandler/CheckoutActionHandler.js
@ -50,8 +50,6 @@ class CheckoutActionHandler {

            const formSelector = this.config.context === 'checkout' ? 'form.checkout' : 'form#order_review';
            const formData = new FormData(document.querySelector(formSelector));
-            // will not handle fields with multiple values (checkboxes, <select multiple>), but we do not care about this here
-            const formJsonObj = Object.fromEntries(formData.entries());

            const createaccount = jQuery('#createaccount').is(":checked") ? true : false;

@ -72,7 +70,8 @@ class CheckoutActionHandler {
                    order_id:this.config.order_id,
                    payment_method: paymentMethod,
                    funding_source: fundingSource,
-                    form: formJsonObj,
+                    // send as urlencoded string to handle complex fields via PHP functions the same as normal form submit
+                    form_encoded: new URLSearchParams(formData).toString(),
                    createaccount: createaccount
                })
            }).then(function (res) {
--- a/modules/ppcp-button/resources/js/modules/Helper/FormValidator.js
+++ b/modules/ppcp-button/resources/js/modules/Helper/FormValidator.js
@ -6,7 +6,6 @@ export default class FormValidator {

    async validate(form) {
        const formData = new FormData(form);
-        const formJsonObj = Object.fromEntries(formData.entries());

        const res = await fetch(this.url, {
            method: 'POST',
@ -16,7 +15,7 @@ export default class FormValidator {
            credentials: 'same-origin',
            body: JSON.stringify({
                nonce: this.nonce,
-                form: formJsonObj,
+                form_encoded: new URLSearchParams(formData).toString(),
            }),
        });