How Remove Odd Hidden Web Field in My Form - forms

I'm redoing some stuff on a website. I create my own forms and there's been a hidden field injected into my system somehow, after my Submit button. I have (updated) found that it is injected by Square payment processor (95% confidence). But it does not show up on my published site, only my workstation.
<input name="nds-pmd" type="hidden" value="{"jvqtrgQngn":{"oq":"1440:1595:1440:1706:1440:2560","wfi":"flap-138151","oc":"q400qo6n8n86q525","fe":"1440k2560 24","qvqgm":"300","jxe":135975,"syi":"snyfr","si":"si,btt,zc4,jroz","sn":"sn,zcrt,btt,jni","us":"q7008390np2s6777","cy":"ZnpVagry","sg":"{\"zgc\":0,\"gf\":snyfr,\"gr\":snyfr}","sp":"{\"gp\":gehr,\"ap\":gehr}","sf":"gehr","jt":"78r9qs3735260548","sz":"54p61p7n7s97rn3","vce":"apvc,0,5r54nr06,2,1;fg,0,,0,,0,,0,,6,,0;zz,11583,1p9,121,f_nq_cebsvyr_pbhagel;gf,0,11583;zzf,3r9,0,n,231 163,798 27,34n,34n,-28rp,2787,-568;zzf,3r7,3r7,n,45 0,122q 0,221,220,-16n0,9s60,snq;zzf,3r8,3r8,n,0 9r,7058 201,1666,164o,-3r062,22786,-10nn;zzf,3r8,3r8,n,45 27,2063 2n0n,q13,q00,-opp0,r62n,355q;zz,rq,429,278,;zzf,2sp,3r8,n,2sp 1nr,p3qo 3170,2484,2490,-55s3n,5q156,-2rnr;zzf,3rp,3rp,n,ABC;zzf,3r5,3r6,n,ABC;zzf,3r9,3r9,n,ABC;zzf,3r9,3r9,n,ABC;zzf,3r8,3r8,n,ABC;zzf,2717,2717,32,ABC;gf,0,163nr;zzf,270r,270r,32,ABC;zzf,2713,2713,32,ABC;gf,0,1o1ps;zzf,2711,2711,32,ABC;zzf,2711,2711,32,ABC;gf,0,1sss1;zzf,270s,270s,32,ABC;zzf,rn67,rn67,1r,ABC;gf,0,31167;zzf,rn67,rn66,1r,ABC;gf,0,3sopr;zzf,rn60,rn61,1r,ABC;gf,0,4r62r;zzf,rn64,rn64,1r,ABC;gf,0,5q092;zzf,rn62,rn62,1r,ABC;gf,0,6ons4;zz,o93o,540,2n0,;gf,0,7742s;zz,oq54,500,1o,pbyyncfvoyrAnione;gf,0,83183;xx,s78,0,f_nq_cebsvyr_anzr;ss,3,f_nq_cebsvyr_anzr;zz,960,24q,1n6,;so,2s2,f_nq_cebsvyr_anzr;zz,2914,57p,2o5,;gf,0,87664;xx,48q,0,f_nq_cebsvyr_anzr;ss,0,f_nq_cebsvyr_anzr;so,147,f_nq_cebsvyr_anzr;xx,4,0,f_nq_cebsvyr_pbzcnal;ss,0,f_nq_cebsvyr_pbzcnal;zp,15,150,os,f_nq_cebsvyr_pbzcnal;zp,4s,150,os,f_nq_cebsvyr_pbzcnal;so,qpo,f_nq_cebsvyr_pbzcnal;zz,12,234,1r1,;xx,1q76,0,f_nq_cebsvyr_pbzcnal;ss,3,f_nq_cebsvyr_pbzcnal;zz,np,26r,17o,f_nq_cebsvyr_hey;so,1os,f_nq_cebsvyr_pbzcnal;xx,3,0,f_nq_cebsvyr_hey;ss,1,f_nq_cebsvyr_hey;zp,8n,270,17o,f_nq_cebsvyr_hey;so,qqs,f_nq_cebsvyr_hey;gf,0,8o8pr;zz,396o,522,140,;xx,315,0,f_nq_cebsvyr_hey;gf,0,8s54r;ss,0,f_nq_cebsvyr_hey;so,n55,f_nq_cebsvyr_hey;","ns":""},"jg":"1.j-952168.1.2.fVkluNjuPtiX7Vz4XSTgDD,,.mAaD01S5Ua73V84EfsG1-uOIddNorAK-95Azs1LvMa0uvVIaED2hQNisAwd1fTk6qFNCd4_spoDT2y2hGdBtS-J4nYKw_tRoHws_-BjCJvskfveCoDIdUiA8gKgtHY_8ssdVnS4P2YZ_tTqtFWLKudkmBMwTEhnDl3-2Eingfx7fmrVZwPPbvb6yYPMsOLJD2kTSqr78jmmpmh2iOoNem9GwMmJ1YGtybtCKAcG2KNxCDgLzd0b0OHQsA1Fki15J"}">
I'm using Chrome. This now (updated) looks like some Square injection. I'm finding it on Safari and Firefox as well, same values inside the field. Again, it is not showing up on my production served site.


Update.
No JavaScript injection. The payment processor was responsible, and I had never seen this before.

Related

PayPal subscription api has stopped working

My site has been creating subscription payments for years using the classic form-post method to PayPal's cgi-bin/webscr URL.
Suddenly this has stopped working. The webscr page is called but just displays blank. Is something broken, or have PayPal changed something? There's no info to suggest the API is deprecated or anything.
I tried the "create a button" method, and using the generated html (which also calls webscr) it works. I can't use this live because some of the parameters are calculated by JS on my page, a standard button is too simplistic.
Does anyone know what's going on?
Thanks

To round this off, I have discovered the cause, and it's ultimately mea culpa. I went through my code with a fine tooth comb, and for some reason the following line appeared twice in my button form html:
<input type="hidden" name="cmd" value="_xclick-subscriptions">
Probably an ancient copy-paste error. This never caused any problem until recently, but obviously there's been some tightening of validation by PayPal.
Removing the duplicate line has restored the original functionality.
Sometimes the simplest things can be the hardest to find!

Forms accessibility - actions on buttons

I have a Shopping Cart and for example there is a <button> that will trigger an action to add an item to the cart.
And my dilemma is:
- should I just have a standalone button with JS hook that sends a POST request to an API to add/update an item to cart?
- or should I wrap it in a <form> with hidden <input>s and then when there is no JS the button will be working because form will be submitted and when JS enabled I will submit the form via JS.
But when not using <form> with <input>s but just simple <button> the code would be cleaner.
And nowadays many pages need JS to be running.
Who switches JS off?
So should I bother to provide no-JS functionality at all?
Maybe I should bother only for public sector websites to provide it?
In my case JS would not be an enhancement but replacement for the default form functionality as you see.

In my opinion, it's perfectly acceptable to require javascript these days. It may even provide a better and more accessible user experience in some cases.
That being said, it's also very important to provide graceful fall-backs for clients that don't have javascript enabled for whatever reason. In the very minimum, there should be some sort of a warning or alert letting the user know that basic functionality won't work without Javascript.

X-Cart checkout is empty

I have problem with my x-cart website. When I click on "Buy Now" button on one product, and after that I click on "My Cart" which is the checkout section, it returns that my cart is empty although I already click to buy product.
Here is my website: http://www.farlin-cambodia.com/home.php?cat=591
How can I fix it?

The store you're referring to is of version 4.1.6, that's an old version where there were no adding to cart without redirect (with ajax). The behaviour in question is still there, thus the feature is added as a custom mode.
If JS is enabled in the browser, and if the store considers that it's enabled, the JS script is supposed to send some data to script minicart_content.php, and the php script is to process the received data further. However it doesn't happen, and there are no JS errors, which makes me believe that the problem is in the code of minicart_content.php, with this file is very likely being modified too.
If JS is disabled in the browser ( and if you click the corresponding button in the store in the pink side menu block - "If Javascript is disabled in your browser click here"), this custom scenario is not applied, so the store uses the default functionality which allows to add the products to cart with out problems.
Thus, the possible solution is:
roll back the custom changes you implemented, and use default functionality (adding products to cart with a redirect to cart page)
or
check the minicart_content.php script and find out, why it doesn't want to properly process the data sent by JS script
If you're not sure how to achieve this, consider contacting X-Cart support team for further investigation. Not sure if I can give a link to X-Cart support here, but I'm sure you'll easily find it, if only try to search=)

Adding Captcha without accessing ASP

A client would like us to add a Captcha to their form at http://www.vilaswi.com/contact/. However, they use a 3rd party to run their authentication through http://www.innline.com/mailforms/vilasform/Record.asp so the form data displayed to the user is really the only thing I have control over. It looks like I can't add the Google reCaptcha PHP to the form as the action is already specified (see below).
<form action="http://www.innline.com/mailforms/vilasform/Record.asp" method="post" name="frmInfo" id="frmInfo" onsubmit="return validateForm()" class="contactform">
Google recommends download verify.php and adding that to the action. Is there another method I could use?
I have tried the honey pot method and that has not curbed the amount of spam submitted.
Thanks in advance for any help!

Zend Framework: How to POST data to some external page (e.g. external payment gate) without using form?

I would like to have a user redirected to an external credit card gate. Of course I have to POST some user info to that gate, but I don't know how exactly can I do this.
I know that I could do this by generating a html form with hidden or read-only fields and have a user click "Submit" button. But this solution is not perfect, because all the form data could be easily changed using e.g. Firebug. I think you cannot do this using $this->_redirect(...). But maybe there is some other solution?
Many thanks for any tips or suggestions.

I would like to have a user redirected to an external credit card gate. Of course I have to POST some user info to that gate, but I don't know how exactly can I do this.
Using a form is the only method available. The RFC states that the user should explicitly agree to sending a POST (i.e. click on a submit button).
I know that I could do this by generating a html form with hidden or read-only fields and have a user click "Submit" button. But this solution is not perfect, because all the form data could be easily changed using e.g.
It is no more secure that using a redirect as the header data can be modified without too much of a problem. There are even Firefox plugins to do it.

use cURL to post data
http://framework.zend.com/manual/en/zend.http.client.adapters.html