I am trying to integrate paypal into my website using coldfusion, everything is working fine except the "return to merchants" url :( ..
The date displayed as the button is getting ad the return url :(
Please give me an idea what is happening there :)
I know this is an older post... But I'll add my 2 bits...
I was using a CFLOCATION push to PayPal and a Return URL back...
The Return URL never worked until I encoded the & symbols...
Now works fine.
<cflocation url="https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&item_name=#bt#&business=#set.paypal#&item_number=#cr# Credits¤cy_code=CAD&amount=#numberformat(cost, '_.__')#&return=http://#cgi.HTTP_HOST#/paypal.cfm?typeid=#typeid#%26uid=#session.demshinuser_id#%26credits=#cr#%26src=add" addtoken="no">
This is the return URL - with the URL Encoded & - which is %26
return=http://#cgi.HTTP_HOST#/paypal.cfm?typeid=#typeid#%26uid=#session.demshinuser_id#%26credits=#cr#%26src=add" addtoken="no">
Some other URL Encoded Values here too if needed...
http://www.degraeve.com/reference/urlencoding.php
Have you viewed or used the sample code supplied on the website.
Check out 'https://www.paypal.com/IntegrationCenter/ic_sample-code.html'
Related
Can anyone tell me how to send a mail from plone site. What i m trying to do is(will list out my points)
i have a template page(html page) called contact us.In which the user can enter his/her name, email id, address, etc. After entering the things he have to submit it to a particular mail id.
I create a .py file for getting those values from contact us html page.
After getting the values, it should be mailed to a particular mail id.
my html page somewhat looks like like:
<html>
<form action="mailto" method = "post" name="mailto">
Name :<input type="text" name="fname" />
address :<input type="text" name="address"/>
</form>
</html>
mailto.py
class MailTo(BrowserView)
def __init__(self,context,request):
self.context = context
self.request = request
def registerdetail(self):
mailhost = self.context.MailHost
form= self.request.form
name=form.get('fname')
address=form.get('address')
mto = 'xxxx#gmail.com'
msg="""
Name:%s
Address:%s
""" %(name,address)
mailhost.send(messageText=msg, mto=mto, mfrom='yyy#yahoo.com')
return self.sucesspage()
I tested it directly by giving my own mailid in "mto=gsgfsf#gmail.com" but i didnit receive any mail. can anyone tell whats wrong with my things.
Thanks in advance
You'll find it much easier to simply use PloneFormGen (a popular add-on for Plone) to build your form. You can make the email destination for the form configurable by following the instructions at: http://developer.plone.org/reference_manuals/active/ploneformgen/select_mail.html
According to what you say on the mailing lists, your problem is that you installed the developer tool Products.PrintingMailHost.
With that installed emails are printed to the console instead of being sent. This is so you can test sending emails without actually having to send emails.
Verify you have configured Plone to send mail first. In Site Setup -> Mail, enter your mail server information and click Save and Send test e-mail.
Then using MailHost in Python should work (unless you are using Products.PrintingMailHost which prints email instead of sending it.)
I am building one of my first MVC 4 applications and I need some help with redirecting users.
I have a windows form application where I use a AxSHDocVw.AxWebBrowser to redirect the user to a specific URL , a SOAP web service to be precise, aswell as sending HTTP POST and HEADER data aswell.
This is done like so:
oHeaders = "Content-Type: application/x-www-form-urlencoded" + "\n" + "\r";
sPostData = "ExchangeSessionID=" + SessionID;
oPostData = ASCIIEncoding.ASCII.GetBytes(sPostData);
axWebBrowser2.Navigate2(ref oURL, ref o, ref o, ref oPostData, ref oHeaders);
I am looking to replicate this functionality in my MVC application, but am unsure of the how this can be done.
I was hoping to have this within an iframe, but can't find a way of sending the POST and HEADER data from this. This is what I have been trying so far:
Controller
ViewBag.URL = TempData["URL"];
ViewBag.SessionID = TempData["SessionID"];
ViewBag.FullURL = TempData["URL"] + "?ExchangeSessionID=" + TempData["SessionID"];
return View();
View
<iframe src="#ViewBag.FullURL" width="100%" height="500px"></iframe>
Basically I was trying to append the data to the end of the URL hoping this would work for the HTTP POST part. This is what I ended up with:
https://www.myurl.aspx?ExchangeSessionID=87689797
The user is being directed to the page, but the web service is giving me an error ( which tells me it is now receiving the POST data).
Can some please help me to try and fix this, or even give me advice on how to go about this another way. Like I said, I'm fairly new to MVC applications and I'm not entirely sure what I'm tryin to do is even possible.
Any help is appreciated. Thanks
I've decided to answer this question myself incase anybody is looking to do something similar in the future.
The first step was to create my iframe:
<iframe name="myframe" src="" width="100%" height="700px"></iframe>
Next I want to create a form with a button which, when pressed, will post the data to the url while targeting the iFrame (Note the target attribute of the form):
<form action="#ViewBag.URL" method="post" target="myframe">
<input type="hidden" name="ExchangeSessionID" value="#ViewBag.SessionID" />
<input type="submit" value="Submit" />
</form>
So what happens is, when the button is pressed, the form posts the ExchangeSessionID to the target URL and then the page response is displayed inside the iFrame.
Is there a way to check if a URL still active or it returns a 301 Redirect code using chhttp?
You've answered your own question - use CFHTTP.
<cfhttp method="head" url="http://www.google.com" result="myResult">
<cfdump var="#myResult#">
You'll see that myResult struct contains "Responseheader" struct with "Status_Code" field in it. It will contain the numeric status code.
If you don't need numeric you can just use myResult.Statuscode - returns something like "200 OK".
If the url will be incorrect or there will be some issues with reaching the target, the "Responseheader" will be empty.
Addendum after the comment:
If you want to know the redirect location after 301 use CFHTTP with trace or options as method.
<cfhttp method="trace" url="http://www.google.com" result="myResult">
The result should contain the "Status_Code" as above as well as "Location" - the url to redirect to.
You have to use the redirect attribute (e.g. redirect="false") in cfhttp tag. Then you get the original response and can figure out what http code was sent back to your request.
I am using allauth to provide registration and login in my django site. Everything else seems to be working fine other than that I am having problems to redirect the person to the current page after login.
I have a page where I have some interview questions and a typical url for it would be like
/questions/?company=google
This page contains a list of questions for the company google, but to view the answer the person needs to login. The answers are displayed in a dropdown box. However when the user clicks on login a request is sent to the login page as follows
/login/?next=/questions/
And the get parameter which was actually there in my actual page is not sent because of the & in my url. How can I solve this problem. It does not look nice that the person is redirected to a different page from where he/she tried to login.
I know sending the next parameter as a GET variable is not the solution, but is there a way I can send the redirect link as a POST variable from the template.
I tried another thing, in my view that displays the questions list. I set session variables which contains the url of the current link . If a user clicks on login, in my login view I check for this particular session variable. If it is set then I redirect to that page.
However the session variable is not received in the login view, I am not sure but I think the session is reset when the user goes to the login view.
Any suggestions are appreciated.
Have you tried
next = request.get_full_path()
This will return correct path with all queries ( see docs ) , you can then pass it as GET param to redirect url e.g.
full_path = request.get_full_path()
return HttpResponseRedirect('%s?next=%s' % (reverse('login'), full_path))
You should encode the URL-parameter in this case. You want to send a variable like /questions/?company=google, but as you mentioned the ?, = (amongst others) characters are special ones. It has a special meaning when embedded in the URL. If you encode the variable with URL encoding, it becomes %2Fquestions%2F%3Fcompany%3Dgoogle. If you assign that to the parameter next, the URL becomes: /login/?next=%2Fquestions%2F%3Fcompany%3Dgoogle. This should redirect to the correct place on login.
My company gave me the task of resolving all security issues with a particular application. The security tream reported a cross site scripting error. The error lies in the following input field:
<input type="hidden" name="eventId" value="${param.eventId}"/>
The report from security wasn't very detailed, but the say they can make a POST request to the page that has the above tag including the following malicious code:
eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
And that when the page reloads, it will have the following:
<input type="hidden" name="eventId" value=""><sCrIpt>alert(83676)</sCrIpt></value>
I am trying to "be the hacker" and show the vulnerability. But I can't figure out how they manage to get that script in there. I am guessing they include it as a URL parameter in the GET request for the form, but when I try to do it myself I get a 403 error. Does anyone know how the vulnerability can be shown?
I know there is a number of XSS questions on the site, but none seem to hit this topic.
So, I am not sure why, but my original hunch was correct. The script can be put on as a URL parameter. For some reason though, this was not working with our staging site. Only with running the application locally. I am not sure why, but this works (only locally):
http://localhost:8080/myUrl/MyAction.do?eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
Doing that, you see an alert box pop up. I am planning to fix it using JSTL functions.
<%# taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
...
<input type="hidden" name="eventId" value="${fn:escapeXml(param.eventId)}"/>
Install [TamperData][1] add-on in firefox browser which let you edit the data before submitting. Doesn't matter if it's in POST or GET.
By using this hidden fields can be edited.
What you want to do to fix the problem, is to HTMLAttributeEncode the value before putting it inside the value-attribute. See OWASP ESAPI or MS AntiXSS for methods for doing HTML attribute encoding.
Seeing how the attack string is URL encoding, I think you guess about including it as a GET parameter seems reasonable.
I used the OWASP ESAPI API as the legacy jsp's didn't have JSTL available. This is what I used:
<input type="hidden" name="dataValue" value="<%=ESAPI.encoder().encodeForHTMLAttribute(dataValue)%>">
You can also use the API to filter request.Parameter() which I also needed, as in:
String userURL = request.getParameter( "userURL" )
boolean isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);
if (isValidURL) {
link
}
and:
String name = (String) request.getParameter("name");
name = ESAPI.validator().getValidInput("name ", name , "SafeString", 35, true);