I have some special characters on some of my url's. For example:
http://blabla.com/title/?t=burası
When I am giving links to that pages from other pages, I use:
URI.encode(s)
which produces this link:
/title/?t=buras%C4%B1
While everything is normal until this point, also I have another form on the page which has the encoded url. But browsers tend to decode my encoded url when users visits /title/?t=buras%C4%B1 and turns the url into /title/?t=burası . The problem begins here because when the user tries to send something from the form on 'burası' page, sinatra gives an error:
ERROR URI::InvalidURIError: bad URI(is not URI?): http://localhost:3000/title/?t=burası
I think it is because of HTTP request's 'referrer' string, but I couldn't find any workarounds as long as browsers tend to decode the string automatically.
You should encode the URI in the FORM method.
For example, make your HTML FORM action look something like this:
<form action="/title/?t=buras%C4%B1" method="post">
Does that solve it for you?
(Edit: thanks x1a4 for the correction-- of course you're right! :)
Related
Opayo returns from our payment request asking us to contact https://www.rsa3dsauth.co.uk/3ds2/cReqWebBased?issuer=barclays" for 3D Secure auth, so we send this:
<form id="c-form" method="POST" action="https://www.rsa3dsauth.co.uk/3ds2/cReqWebBased?issuer=barclays">
<input type="hidden" name="creq" value="*removed for data protection*" />
<input type="hidden" name="threeDSSessionData" value="tQtpVHCcCVGEhPNDaeCtMK9I%2fREJERnarovmuZPsM4M6xy6gks9rOYix36waoxOn1wukcobCFbfd2jpmVDVDwZjrd3MzJtmpyFDEAu5R9azVveH6kBEXc5F2ETnFijQfEj5l6EzmH7EnMzbTlFHgbkDGR%2fH9CtURo0K2VSUKHN4%3d" />
<script>
document.addEventListener("DOMContentLoaded", function()
{
var b = document.getElementById("c-form");
b && b.submit();
});
</script>
</form>
And we get back
POST https://xxxxx.xxxxxxx.xxx/api/payment/3dsecurechallenge?eid=ctl00_cphMain_Payment_SagePay_ThreeD
cres=*removed for data protection*&threeDSSessionData=
Note there is nothing following &threeDSSessionData=, where it should be returning our string back to us.
The documentation says:
Anyone else having this issue?
Just to add some more context - we had the same issue but only with rsasecure.co.uk at the start of June. Other banks worked correctly. We have an open case with Opayo about this but there has not been a lot of communication.
We turned off 3DS while this issue is occurring but have been advised to try again today (23.07.21) as it may have been an issue at the banks side.
threeDSSessionData seems to be URL encoded in the input tag. Have you tried this without the URL encoding? I believe it should only be base64 encoded.
I've now received a response from Opayo. I also think they may have changed something because I'm positive I tried this previously and it didn't work...
threeDSSessionData is the base64 encoded of VPSTxId (including the curled braces). It is not base64url encoded - talking about url encoding is a massive red herring because the browser auto submit handles this without us having to do anything.
Here's an example that worked for me.
I curl post the card details to vpsdirect-register.vsp (or whatever flavour you're using). This must include a ThreeDSNotificationURL value that contains the URL of the your callback page.
The following response was received.
Status=3DAUTH
StatusDetail=StatusDetail=2021 : Please redirect your customer to the ACSURL, passing CReq.
VPSTxId={1F3F8015-FFEB-E897-0643-58841AD5DB03}
ACSURL=https://test.sagepay.com/3ds-simulator/html_challenge
CReq=ewogICJtZXNzY...iA6ICIwNSIKfQ
I base64 encode the VPSTxId value into a threeDSSessionData value and get the customers browser to autosubmit the following form
<form action="https://test.sagepay.com/3ds-simulator/html_challenge" method="post" id="autopostform">
<input type="hidden" name="threeDSSessionData" value="ezFGM0Y4MDE1LUZGRUItRTg5Ny0wNjQzLTU4ODQxQUQ1REIwM30=">
<input type="text" name="creq" value="ewogICJtZXNzY...iA6ICIwNSIKfQ">
</form>
Customer will then do the necessary gubbins and the callback URL will have something similar to the following posted to it
cres=ewogICJtZXNzYWd...OiAiWSIKfQ
threeDSSessionData=ezFGM0Y4MDE1LUZGRUItRTg5Ny0wNjQzLTU4ODQxQUQ1REIwM30=
Both of these values are base64 encoded (the cres actually contains the acsTransID that was in the original response). We now need to base64 decode the threeDSSessionData back into a VPSTxId which we then need to curl post along with the (still encoded) cres value.
VPSTxId={1F3F8015-FFEB-E897-0643-58841AD5DB03}
CRes=ewogICJtZXNzYWd...OiAiWSIKfQ
Hopefully that'll give us a successful response and the transaction should go through.
In short it's a complete pita. In reality the encoding element should be dealt with via Opayo's API rather than us needing to code this up.
Edit: Original Reply
Yes! We flicked over to v4 with 3DSv2 last week and have had a couple of dozen customers reporting that they try to pay, and basically just returned back to the checkout. Looking at one now for barclays, but have had others too - including one where they 3dauth and don't get returned to our checkout at all...
I am trying to send a get request through an MVC form but when I get the value in the controller using RequestParam somehow the HTML tags like <li> etc are getting filtered, any suggestion so as where these tags are getting filtered and any workarounds for them.
Thanks.
You can try using some URL Encoding like this %3Cli%3E%3C%2Fli%3E . If this is not working, you can try a hardcode encoding when sending and decoding when receiving. For example replace "<" with "|OPEN_BRACKET|" and ">" with "|CLOSE_BRACKET|" . Keep in mind, that this is a bad solution and use it as a last resort. Also make some checks for XSS attacks.
I'm using open-uri to get content from a page on the web to be used with nokogiri.
I'm trying something like:
url = "http://pesquisa.bvsalud.org/portal/?output=site&lang=pt&from=0&sort=&format=summary&count=20&fb=&page=1&q=\"qualidade+de+vida\"&index=tw"
response = open(url)
Then I get the error: URI::InvalidURIError: bad URI(is not URI?)
The catch is: I know I can use URI.encode(url) to prevent some special characters in the url, but the website I'm requesting doesn't give me the same response when I sanitize the url, it doesn't answer properly when using '%22' instead of double quotes..
How can I make such request using double quotes? Any other library that can do it? Open-uri doesn't accept that. I tryed to use the gems addressable-uri and eat, but I get the same error on both. :/
URI.encode('http://pesquisa.bvsalud.org/portal/?output=site&lang=pt&from=0&sort=&format=summary&count=20&fb=&page=1&q=\"qualidade+de+vida\"&index=tw')
=> "pesquisa.bvsalud.org/portal/?output=site&lang=pt&from=0&sort=&format=summary&count=20&fb=&page=1&q=%5C%22qualidade+de+vida%5C&index=tw"
For some time I have been trying to solve fairly common problem consisting of basically three steps:
fetch html page with specified URL and store its content in a String
detect content encoding either from html meta information or HTTP header
recode the content into UTF-8 for further processing
In the real usage I have the first step a little extended with functionalities like having a "user-agent" instance with cookie-jar, configurable timeout and amount of GET attempts, configurable request count per time frame limitation, etc...
I implemented rest-client wrapper but I run into several problems:
class-global RestClient.proxy settings conflicting with e.g. couchrest (using rest-client itself)
freezing: sometimes the timeout causes freezing of the process. AFAIK more of my friends run into the same problem with rest-client
redirect Location URI parsing: rest-client fails to fetch "http://www.ofertacarioca.com.br/index.aspx?cidade=4,Belo%20Horizonte" correctly complaining about invalid URI '/indexnew.aspx?cidade=4,Belo Horizonte' in Location header of the 302 result but curb handles this perfectly through to the target page. I'm about to reimplement the wrapper with the use of curb
recoding problems in the third step: I attempted to detect encoding from html page meta information and HTTP header (in this order) for some pages still to no avail
I would love to know of some cool gem out there that would handle such needs or of some intriguing universal solution hints if any.
As nobody has answered, I needed to implement the curb-based solution:
curburger
Perhaps somebody finds it useful.
Im using merb, and getting weird variable in url after authentication. I figured out that variable contains base64 encoded data, but cannot understand why its appearing there, even if everything works ok. Just curious
It looks like this: http://foo.bar/?_message=....data....
What this variable for and what does it do ?
_message is the way that Merb sends 'flash' messages. I believe that it is being encoded to make it harder to spoof (i.e. insert arbitrary text on your Web page) but to keep the state in the URL