creating a PayPal donation button in an md file - github

What I'm trying to do is displaying a PayPal donation button into a Github project README.md file. The markup I added is displayed as HTML rather than being properly rendered as donation button.
HTML
// PayPal source here
Do you have any thought?

The current code generated by paypal buttons is based on a FORM html tag with a POST method. Fortunately the values are always the same and paypal is supporting them to be passed by the GET method. So, you can safely read the form code and convert it to a direct link.
On my case I just made a link to my button like this:
[![](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=X6XHVCPMRQEL4)
I am using it on my project at http://github.com/ctodobom/OpenNoteScanner

In all likelihood, it is not possible for security reasons (see CSFR and XSS for examples of potentially related security concerns). In other words, GitHub has intentionally not allowed forms within Markdown text and will strip them out if they are included.
For more general information about how to include a form in Markdown (outside of GitHub) see my previous answer below:
As the Markdown syntax rules state:
For any markup that is not covered by Markdown’s syntax, you simply use HTML itself. There’s no need to preface it or delimit it to indicate that you’re switching from Markdown to HTML; you just use the tags.
The only restrictions are that block-level HTML elements — e.g. <div>, <table>, <pre>, <p>, etc. — must be separated from surrounding content by blank lines, and the start and end tags of the block should not be indented with tabs or spaces.
So just insert your raw HTML into the document. You probably should wrap the entire block in a <div> to make sure Markdown treats it properly as one block.
However, be aware that it is possible that GitHub may filter the content to not allow certain tags for security reasons, so you'll need to test it to find out if it will work.
Additionally, depending on how things are configured, the browser and/or the server you are posting to may not allow the form to post for security reasons.
For more on those issues see these questions and related answers.

With Paypal.me , there is no more a security concern :
markdown
[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.me/AbdennourT/10)
markup
<p>
<a href="https://www.paypal.me/AbdennourT/10">
<img src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" alt="paypal">
</a>
</p>

You have to create an enterprise account or you can update your own, it´s free.
Then you have to create the button in the button center and generate a donate button, this tool generates the html and you can get the hoted_button_id then you have to replace it and paste it in the README.md
[![](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=YOUR_OWN)

If you want to just use your email and a donate button you can do it by just filling in the blanks from their "donate email" example:
[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif)](https://www.paypal.com/donate/?business=paypal#poleguy.com&no_recurring=0&item_name=Payment+for+Stackoverflow+Example&item_number=Suggested+Price:+$7.99+USD&currency_code=USD)
It renders like this:
Paypal warns that it's "not secure" and you should always use a "hosted email payment link to prevent malicious users from tampering with the code." So maybe okay on github, but not on a wiki or stackoverflow where the link could be edited to pay someone else.

Related

Integrating FormSpree into GitHub Jekyll markdown file

I am attempting to add a contact form to a GitHub Jekyll website. I have mostly been following advice from the most-liked answer here, from a YouTube tutorial here, and from the FormSpree site.
In my attempt to keep the website design consistent, one major difference compared to these tutorials is probably that I am adding the FormSpree contact form to a markdown file, which is here. As you can see in this markdown file, I tried creating the form twice (once with bare-bone suggestions and once with more bells and whistles).
I am almost certain the form is not looking as expected (which in the YouTube tutorial I was following would look more like this) because I am not using a .html file. However, when I tried to convert my page to .html instead of .md it rendered the contact form page looking visually/aesthetically inconsistent with the rest of the webpage tabs. As a result, I am hoping to maintain the .md format with the same current YAML metadata.
My question is: Is it possible to add a FormSpree contact form to GitHub Jekyll pages directly inside a Markdown (.md) file and, if so, what alterations would I need to make to accomplish this? Thank you for sharing any advice!
Using html chunks in md files can seem quite tricky.
In your particular case, as you're including raw html, you can use nomarkdown extension tag.
Just try :
{::nomarkdown}
<form action="http://formspree.io/moqeoggo method="POST">
<input type="email" name="_replyto">
<textarea name="body"></textarea>
<input type="submit" value="Send">
</form>
{:/nomarkdown}

Are deceptive redirect hyperlinks safe to use in emails?

We're generating some emails programmatically. We need to include a hyperlink that takes people to a page on website A, but we want to use website B to track their click before redirecting.
Is it safe to show the URL to website A, but in a hyperlink that really takes them to website B? That is, something like this:
Here's the page you wanted:
<a href="http://website-b.com/someTrackingToken">
website-a.com/theThingYouWereExpecting
</a>
... or does this look sufficiently scam-like that some email clients might object to it?
Note:
We specifically do want the website-a.com URL to be visible to the email recipient.
The sites are on different domains.
You can set the visible link and the href property to be two totally different things and there's usually little to no consequences, this is pretty standard for most mailers that need tracking.
The thing is, why not just wrap some text instead of a literal link? Present it as a button if you're worried about "click ability".
If you want to present a link that's nearly the same, why not just append some parameters on the end that trigger the tracking action? Like /x vs /x?token=XXX where you can grab that and and process it at any point of handling the request. Just suppress the display of that in the raw URL you're showing.

What portions of the marketo code snippet can change?

My company is using marketo forms, and we are generating the page from a content management system.
We'd like to keep the contribution experience as simple as possible and prevent the user from contributing actual <script> tags.
The API documentation says they will give you a block of code that looks like this:
<script src="//app-sjqe.marketo.com/js/forms2/js/forms2.js"></script>
<form id="mktoForm_621"></form>
<script>MktoForms2.loadForm("//app-sjqe.marketo.com", "718-GIV-198", 621);</script>
My question is, what portions of this code are subject to change?
I am sure the 3 part hypen separated string and the integer being passed in can change.
What about the app-sjqe.marketo.com address?
The 3-part string is your Marketo instance ID, and shouldn't really change. The other integer is the form ID, which definitely will change depending on what form you want to embed.
The other thing that you may want to consider, is the other configurable options that you can send along with the form embed. For example, in the module that I have made for my CMS, I let the user put an optional 'thank-you' page URL, to redirect the form to after submission, and also a checkbox to optionally open the form in a lightbox on page load.
The simple module I made is for the Sitefinity CMS - happy to share code with you if that helps!

Paypal buttons without form tags

The html for a donation button provided by Paypal forces excessive white space on the page. Is it possible to link back to Paypal without the form tag? I have the Paypal button graphic which I can anchor to html code if it is not a form element.
It is possible to do it without a form; I did so a while ago. I don't remember specifically how I did it, but I can give you this example, and if you post your HTML I could help you turn it into a link instead:
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=ben%40happyspork%2ecom&item_name=Sporktris%20Support&item_number=1&no_shipping=0&no_note=1&tax=0&currency_code=CAD&lc=CA&bn=PP%2dDonationsBF&charset=UTF%2d8
You might even be able to just modify that link to use your data instead of mine.

Is it a good practice to use an empty URL for a HTML form's action attribute? (action="")

I am wondering if anyone can give a "best practices" response to using blank HTML form actions to post back to the current page.
There is a post asking what a blank HTML form action does here and some pages like this one suggest it is fine but I'd like to know what people think.
The best thing you can do is leave out the action attribute altogether. If you leave it out, the form will be submitted to the document's address, i.e. the same page.
It is also possible to leave it empty, and any browser implementing HTML's form submission algorithm will treat it as equivalent to the document's address, which it does mainly because that's how browsers currently work:
8. Let action be the submitter element's action.
9. If action is the empty string, let action be the document's address.
Note: This step is a willful violation of RFC 3986, which would require base URL processing here. This violation is motivated by a desire for compatibility with legacy content. [RFC3986]
This definitely works in all current browsers, but may not work as expected in some older browsers ("browsers do weird things with an empty action="" attribute"), which is why the spec strongly discourages authors from leaving it empty:
The action and formaction content attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces.
Actually, the Form Submission subsection of the current HTML5 draft does not allow action="". It is against the spec.
The action and formaction content attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces. (emphasis added)
The quoted section in mercator's answer is a requirement on implementations, not authors. Authors must follow the author requirements. To quote How to read this specification:
In particular, there are conformance requirements that apply to producers, for example authors and the documents they create, and there are conformance requirements that apply to consumers, for example Web browsers. They can be distinguished by what they are requiring: a requirement on a producer states what is allowed, while a requirement on a consumer states how software is to act.
The change from HTML4—which did allow an empty URL—was made because “browsers do weird things with an empty action="" attribute”. Considering the reason for the change, its probably best not to do that in HTML4 either.
Not including the action attribute opens the page up to iframe clickjacking attacks, which involve a few simple steps:
An attacker wraps your page in an iframe
The iframe URL includes a query param with the same name as a form field
When the form is submitted, the query value is inserted into the database
The user's identifying information (email, address, etc) has been compromised
References
Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
This will validate with HTML5.
<form action="#">
IN HTML 5 action="" IS NOT SUPPORTED SO DON'T DO THIS. BAD PRACTICE.
If instead you completely negate action altogether it will submit to the same page by default, I believe this is the best practice:
<form>This will submit to the current page</form>
If you are sumbitting the form using php you may want to consider the following. read more about it here.
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
Alternatively you could use # bear in mind though that this will act like an anchor and scroll to the top of the page.
<form action="#">
I think it's best to explicitly state where the form posts. If you want to be totally safe, enter the same URL the form is on in the action attribute if you want it to submit back to itself. Although mainstream browsers evaluate "" to the same page, you can't guarantee that non-mainstream browsers will.
And of course, the entire URL including GET data like Juddling points out.
Just use
?
<form action="?" method="post" enctype="multipart/form-data" name="myForm" id="myForm">
It doesn't violate HTML5 standards.
I used to do this a lot when I worked with Classic ASP. Usually I used it when server-side validation was needed of some sort for the input (before the days of AJAX). The main draw back I see is that it doesn't separate programming logic from the presentation, at the file level.
I use to do not specify action attribute at all. It is actually how my framework is designed all pages get submitted back exact to same address. But today I discovered problem. Sometimes I borrow action attribute value to make some background call (I guess some people name them AJAX). So I found that IE keeps action attribute value as empty if action attribute wasn't specified. It is a bit odd in my understanding, since if no action attribute specified, the JavaScript counterpart has to be at least undefined. Anyway, my point is before you choose best practice you need to understand more context, like will you use the attribute in JavaScript or not.
When you put empty action then some security filtration consider it malicious or phishing. Hence they can block your page. So its advisable not to keep action= blank.