I wish to allow users on my site to add PayPal hosted buttons to personalised web pages hosted on it.
Since allowing them to upload the HTML code of the button is not easy to secure against XSS (that is - writing a strict whitelist validation of the HTML format), I'm looking for a way to get the HTML code from PayPal itself using the hosted button ID (which the users will upload, instead of the raw HTML code).
Does anyone know if PayPal cater to this need? If not - do you know of an easy way for me to validate the HTML (preferably in python) as something I can safely load to a customised web page?
Thanks,
-Lior
I believe that with the button ID is enough. What else you need? With the button ID you can build the whole HTML button code.
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="{ID GOES HERE}">
<input type="image" src="https://www.paypalobjects.com/es_ES/ES/i/btn/btn_donateCC_LG.gif" border="0" name="submit">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
There is a PayPal API called "Button Manager API Operations" which will allow you to obtain button information if you have the ID. However, the caller must have the credentials of the account of the hosted button. Here you can find information about it:
General Documentation
You will need specifically the call "BMGetButtonDetails"
BMGetButtonDetails Documentation
Related
I'm setting up a Google login option using flask-dance. My route I've create "http://localhost/login/google" successfully directs you to sign in with google and returns a json with information.
Now I need to enable a link for users to get there. None of the instructions in flask-dance documentation or any user guides explain how to generate the login button. They basically just tell you to go to the login URL you create in the process. I'm certain I could just make a Google link on my page but I was trying to use the official button.
Googles documentation explains there is a pop-up and redirect option but how to enable it isn't easy to find. I've tried putting in the "data-login-uri" where I want the user to login from but when I load the HTML on my localhost it defaults to a blank pop-up window.
I think I just need to enable to redirect mode they talk about in their documentation but I can't seem to figure out how.
Here is the HTML for the Google oath button I am using:
<!-- google oauth -->
<div class="d-flex justify-content-center mt-5 mb-4">
<div id="g_id_onload"
data-client_id="..."
data-login_uri="http://localhost/login/google"
data-auto_prompt="false">
</div>
<div class="g_id_signin"
data-type="standard"
data-logo_alignment="center"
data-size="large"
data-theme="filled_blue"
data-shape="circle"
data-text="continue_with"
data-width=360>
</div>
</div>
<script src="https://accounts.google.com/gsi/client" async defer></script>
Found it by using's the HTML generator in Googles developer tools. I added the data-context="signin" and data-ux_mode="redirect" to the HTML and it now redirects users to the correct endpoint instead of the default pop up window.
<!-- google oauth -->
<div class="d-flex justify-content-center mt-5 mb-4">
<div id="g_id_onload"
data-context="signin"
data-ux_mode="redirect"
data-client_id="<your id here>"
data-login_uri="<your endpoint here"
data-auto_prompt="false">
</div>
<div class="g_id_signin"
data-type="standard"
data-logo_alignment="center"
data-size="large"
data-theme="filled_blue"
data-shape="circle"
data-text="continue_with"
data-width=360>
</div>
</div>
UPDATE
I have found that in flask_dance's current version the official google button does not play nice. With the redirect mode functioning, I encountered errors when using the login interface.
I ended up just using html/css I found where someone else had designed the google login button from scratch and just using that as a link to the endpoint flask_dance wanted.
Since I'm new to this POST/GET HTTP stuff, I might be getting things wrong, that's why I'll put my question in 2 ways. Maybe one way will be better than the other :)
I'm developing a Telegram Bot using PyTelegramBotAPI, and it needs to include an online payment.
For the online payment I need the user to follow a link with POST method (it's an external link + I need to pass form data), but that's what causes difficulties for me.
I.
In my code I perform the following:
req = requests.post(url=url, data=data)
Where url is the URL of the website to which the client must be redirected, and data is the data that it needs to pass with the POST request when redirecting.
It works fine as a request in Python, but obviously it can't redirect the client to the website needed.
I tried to generate a URL and pass it to the client using
url = url + urlencode(data=data)
Where url is again the URL of the website. But in this case the website tells me that the method used is incorrect. I guess the link becomes a GET request, instead of a POST request.
How can I redirect the client to that link with POST method?
II.
Another way of putting this question is this:
The company which processes the online payments requires them to be performed using the following HTML form:
<form action=”https://securesandbox.webpay.by/” method="post">
<input type=”hidden” name=”*scart” >
<input type=”hidden” name=”wsb_storeid” value=”11111111”>
<input type=”hidden” name=”wsb_order_num” value=”ORDER-12345678”>
<input type=”hidden” name=”wsb_currency_id” value=”BYN”>
<input type=”hidden” name=”wsb_version” value=”2”>
<input type=”hidden” name=”wsb_seed” value=”1242649174”>
<input type=”hidden” name=”wsb_signature” value=”124264917411111111ORDER-123456781BYN10123456”>
<input type=”hidden” name=”wsb_test” value=”1”>
<input type=”hidden” name=”wsb_invoice_item_name[0]” value=”Товар 1”>
<input type=”hidden” name=”wsb_invoice_item_quantity[0]” value=”2”>
<input type=”hidden” name=”wsb_invoice_item_price[0]” value=”10”>
<input type=”hidden” name=”wsb_total” value=”10”>
<input type="submit" value="Купить">
</form>
This would work well if I used HTML pages, but since my web app is a Telegram Bot, hence this wouldn't work. Therefore I need to generate this HTML form automatically in Python (namely, I need to change the "value" fields for every payment).
How can I imitate this HTML form in my Telegram Bot and redirect the client after some trigger?
I am trying to build a front end for a simple TFIDF based document retrieval model(all written in python). The front end will be a simple search bar where the user can enter a query. Using that query I want to return the documents ranked on the basis of their relevancy. I have the backed ready. I have a small function, lets call it query_scorer that takes in the query, does the requisite pre-processing(tokenization, spellcheck, lower casing, etc.) and selects and ranks documents based on their relevancy. What I don't know is how do I pass this query from my html page to the query_scorer and pass the results back to the html page (or maybe a different html page). Lets say I have the following page.
<section >
<form action="" method="">
<input type="search" placeholder="What are you looking for?">
<button>Search</button>
</form>
</section>
How do I transfer the text from the search box to my python script?
Try this:
In the form tag's action="",provide the location of your cgi script and the value of the textbox will be passed to the cgi script.
eg.
<form name="search" action="~/query_scorer.py" method="get">
<input type="text" name="searchbox">
<input type="submit" value="Submit">
</form>
query_scorer.py
import cgi
form = cgi.FieldStorage()
searchterm = form.getvalue('searchbox')
Hope so you may get your result.
You will need to host the php script and expose it as either a web service or web page. I would suggest web page as the easiest method to get started.
You will then need to post to this web page from your form above by entering the action and method in your form attributes.
You web page will need to return html and also call your function.
See a basic overview here
I have to perform two actions based on radio button selection, either download or view a document
<form method="post" action="{{ url_for('page_after_submit') }}">
<p> Your resume </p>
<div class="radio">
<label> <input type="radio" name="optionsRadios" id="optionsRadios1" value="option1" checked> Download document </label>
</div>
<div class="radio">
<label> <input type="radio" name="optionsRadios" id="optionsRadios2" value="option2"> View document </label>
</div>
<input type="submit" />
</form>
My page_after_submit has this code...
#app.route(local.URL_PREFIX + '/page_after_submit/', methods=['POST'])
def after_submit():
if 'option1' == request.form['optionsRadios']:
return/redirect ("download from this url")
if 'option2' == request.form['optionsRadios']:
return/redirect ("view in this iframe")
return (Url_for('go back to submit page if you are here')
I know my form can only have one action which is '/page_after_submit/', what code (HTML or Python in flask) I need to complete rest of my actions ??? I tried to put the iframe tags with complete download file address in the redirect for option2 but doesn't work. I also want this iframe to pop up not open a new browser window. Plus for the download, don't know what to do specially different operating system may have different path for download directory.
My goal is to not have any javascript as well, don't know if it's possible or not. Thanks in advance.
You need to craft a different response depending on how they want to see the data.
Download File
If they choose option 1, you need to set the headers and response to allow the browser to trigger a file download. Here's how you can do something like that.
View File in Iframe
If they choose option 2, you need to return an HTML response which loads the file. This can be done in an Iframe if you'd like, but it's not necessary. Here's one possible way to do that, but many others exist.
I am writing a site for which I require all data to be transmitted under encryption.
Last night I was considering encrypting form data before posting it but I've just created a Django form for login and realised that using the action field will send the data back to the server unencrypted.
<form method="post" action="">
{% csrf_token %}
<div id="login_box_user">{{loginForm.userName}}</div>
<div id="login_box_pass">{{loginForm.password}}</div>
<div id="login_box_sbmt"><input id="submitbutton" name="submit" value="Login" type="submit" /></div>
</form>
I'm thinking that in order to get around this, I would need to have a Javascript function as the action to encode it before sending, or a Javascript submit button.
At the same time I'm thinking about SSL but we don't currently have a server running so I wouldn't be able to connect an SSL certificate to it for use during development/testing.
The way I understand it, using SSL the data transmitted would be encrypted. I'm wondering if it is worth the effort of encrypting everything, when I plan to get an SSL certificate and using SSL once we have a domain for the site
Encryption in JavaScript is useless as explained here. So SSL is your only option.
I've found some information here if you plan to deploy your site with https:
http://www.redrobotstudios.com/blog/2009/02/18/securing-django-with-ssl/