We have a site where we allow members to sell items they have made.
The items are displayed in a container including a name, description, images and price. The container also contains space for a Purchase button.
The content of each container is controlled by the member in an editor. Part of the editor is a text area where they can cut and paste a PayPal Pay-Now (or similar from other service) button code.
We already have all of this working; when the container is displayed the Pay Now button is shown and is functional.
My question is: How best to validate the code the member pastes into the editor as legitimate pay button code and not something malicious before it’s saved to DB.
I’ve set up a dropdown where the member selects the source of the code (PayPal, Stripe, etc) which would allow validation based on the selected source.
What I need is a resource for the validation code itself. Has someone done anything like this, some regex out there or maybe a service?
This is a net 5.0 site using razor pages.
Sites builders either allow an arbitrary HTML/JS widget, or provide their own payment service integrations that implement payment buttons.
You will not find anyone validating button code, it's not done.
For PayPal Checkout, see the documentation on the payee object for sending funds to another account: https://developer.paypal.com/docs/checkout/integration-features/pay-another-account/
This payee object can be used in a client-side integration with no server, if you don't want to implement a backend; see https://developer.paypal.com/demo/checkout/#/pattern/client for an example
Related
I need to implement PayPal payment in my Laravel site. I was going for the server side integration, in order to save all the data, transactions and know what they actually bought. But turns out that [the older] server-side integration method [that I was looking at] is archived, and not really the preferred method anymore. Instead, they suggest using the smart buttons, with front end integration only.
Questions:
Is front end only safe? what prevents the user from messing with the JavaScript and editing the sum with whatever they want?
How do I know what they ordered if it is all front end?
What would I have to do if the payed sum does not correspond to the articles in the cart?
What should I be aware of with this system?
Smart Payment Buttons can be used with or without a server-side component.
Here is the front-end pattern that communicates with a server-side integration: https://developer.paypal.com/demo/checkout/#/pattern/server
Notice the fetches to two '/demo/...' placeholder endpoints, which need to be replaced with actual routes of yours. The first should create a v2/order via API and return the orderID. The second should capture that order after the payer approves it via Smart Payment Buttons.
The answers to your questions re: a serverless (client-side only) pattern are:
Nothing
Only what you program the JavaScript to tell you and which it actually successfully tells you, or what you read via email or in your PayPal account or app notifications
Refund the transaction
It's for people who don't want to do the work of implementing server-side routes and API calls.
I'm migrating from Google reCAPTCHA v2 to v3. As they are quite different, I have a question.
I used to place my reCAPTCHA v2 only inside web pages where a form exists, to make users click and avoid bots. That's understood, ok, but with reCAPTCHA v3 there is NOT a checkbox where to click on (reCAPTCHA v3 analyzes the user behaviour and clicks).
So... should I place the reCAPTCHA v3 just in forms pages or should I place it in all and every pages I have (to make recaptcha observe how the user interacts with the web)?
I would disagree with Galzor’s answer. The documentation says that
The score is based on interactions with your site and enables you to take an appropriate action for your site.
It’s “site” and not page. It goes on to say
reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.
To me that last sentence means “every page with analytics on my site” — i.e. every page, whether it has a form on it or not. Which then gives rise to all sorts of privacy concerns, see also here.
Now my question is: what does the “reCAPTCHA verification” refer to? Including the api.js script or executing something or… 🤔
Unfortunately, the docs don’t spell this out clearly.
Addendum
(Feb 2023)
I switched to hCaptcha and their docs are also somewhat unclear. However, their customer service responded with
You should add the script and the DOM container with hCaptcha widget only on the contact form page and then call our /siteverify endpoint to validate the user.
and
Same scenario for second case, add it only on the sign up page and if validated within our side the user should be able to log in.
Based on that response I added the CAPTCHA only to the Contact page of my website and to the Sign Up page of the webapp.
Not sure this would also apply to Google’s CAPTCHA, though.
I dont think it should go into every page. mostly the users will find it too intrusive on all pages. in my opinion use it on page with form only.
I am currently working on a bot specifically targeting Teams. Search feature in this bot returns around 200-500 results. Even though i have integrated refines to narrow down search results, i still have to show around 50-100 records under a refined label. I am trying to avoid showing 100+ records as Carousel or list view in bot. so, I thought of integrating tab with bot and share a deeplink to tab where user can see complete search result in a data table (jquery).
I am unable to figure out two things on this approach and need help.
Tab content might be hosted in a different domain and needs authorization. How do I pass authorization info to Content url without asking user to login?
How do i pass custom parameters while creating a deep link to tab and read custom data in a tab? For example, userID, accessToken.
Note: I am using AzureADV1 token with Adal.Net for Bot authentication, and storing token cache in a persistent storage.
I appreciate any help on this.
You can include a "context" parameter in your static tab deeplink, similar to the configurable tab deeplink. If you include a "subEntityId" property in this context, you can get the value inside your static tab by calling getContext(). Then you can render a filtered results based on this sub-entity id.
I'm running an e-commerce website and I send my customers regular newsletters.
I'm using nopcommerce v2.40.
I just see who all are subscribed. I want to develop a detailed newsletter management system, something like MailChimp.
I want a report on how many users actually clicked on the link that I sent them via e-mail.
Can anyone tell me how to do that??
This is a pretty generalized question but I'm new at this and I have no idea how to do it.
Thank you !
You can do this sort of thing quite simply with Google Analytics.
Here are some links worth looking at.
Google Analytics Email Tracking
Setting up campaign tracking in Google Analytics
Simple,
in your email newsletter add params you need to collect.
Example
click to view
Everytime someone would click on the above link, they would be taken to your default controller that collects clicks and other parameters you want. You would then save that data and redirect to an actual page you want them to see via "redirect" parameter provided in the url.
Is there any way to link face-book like feature with the magento gift card code. Like if any user/visitor likes any product on the site then store administrator want to sent gift code automatically to that user. This should happen automatically without involvement of any manual process.
Thanks,
Rather than sending a gift card code, you should generate a one time use coupon code and send them that.
In terms of tracking the Facebook like, you can use Facebook's FB.Event.subscribe method which is a part of their JavaScript SDK. A simple snippet will allow you to listen for a "like" event, the SDK will then provide you with a callback containing the URL liked (the current page). You can pretty much do whatever you want from there.
Everything you need should be here: Facebook JS SDK