How to use textbox to display 3rd-party code items?

Hi Codee,

As you can imagine allowing a user to put arbitrary code into a textbox is a security issue. This would create a situation where the user might put in some harmful code and then it be executed on their site. This is probably why the interactivetools team made sure to run the field through an encoding/escaping function so that it will print the characters of the code rather than run the code itself.

One solution you might want to try is to find out what part of the paypal code is dynamic (like a special product number etc.) and then have the user enter that into the textbox. Then when it comes to writing PHP out to their page, you can write in the paypal snippet, placing the product number into the snippet itself. Of course still make sure you validate the user input before putting it into the snippet.

For example, let's assume the paypal code uses a special product number to print out the buttons. Maybe the code looks like (and this is me just making stuff up here)...

<button id="paypal" data-product-num="12345">Pay on PayPal</button>

What you would do is create the text field to collect the "12345" product number and then in the PHP that generates the page you could use that...

<?php

$prodNum = intval($prodRec['prodNum']);

if (($prodNum > 0) && ($prodNum <= PHP_INT_MAX)) {

   echo "<button id=\"paypal\" data-product-num=\"{$prodNum}\">Pay on PayPal</button>";

} else {

  echo "Invalid product number!";

}

?>

Hopefully you get the idea of what we are doing here. With this type of approach you control the output of the paypal code and allow the user the option to put in the dynamic parts to customize the button. You can also control the validation of that dynamic value the user entered.

The other option is for the interactivetools team to put in a new field type tailored for things like paypal buttons or the like. Where essentially the code generator would do what I just showed you above.

I hope this helps. :)

Hi Tim, 

Thanks for replying. Yeah, I get what you're saying and thought of that...and then I reviewed some sample code from the paypal generator (log into paypal, put all your parameters in, and they provide a small script, including with some security parameters so that price can't be changed, etc.) and realized "Dude, no clue here."  I am only speaking about this type of paypal button at this time.  Here's a sample of a code script that is for white buttons, choice of paypal, venmo, credit/debit, pay later, for $500, bullet style, and some customized naming/text:

"<script src="https://www.paypal.com/sdk/js?client-id=BAAjui822kRiVjHQ8qZogINx4vRK6tJv6vh42BltPxPcQTk3Q4yBCbZ2kdUrx_Q5rV3mNnelDEd6dVaVcI&components=hosted-buttons&enable-funding=venmo&currency=USD"></script><br>
<div id="paypal-container-8F4CVZMVS7L2C"></div><br>
<script><br>
paypal.HostedButtons({<br>
hostedButtonId: "8F4CVZMVS7L2C",<br>
}).render("#paypal-container-8F4CVZMVS7L2C")<br>
</script>"

That's it.  My client is not overly techy but can point-click-type so I was desiring the ability to copy-paste this into a field and have it show up on the site.  If I hardcode this on the page it works terrific. If I attempt to run it through a CMSB textbox field then the script shows up, literally, as text.  

Is there a simple solution?

Hi Codee,

When outputting your text box with the paypal code are you using a plain echo like:

<?php echo $record['paypal_code']; ?>

?

Thanks,
Robin

Good morning,

I was using the code like that, and then tried it like this:

<?php echo htmlencode($galleryRecord['paypal_code']) ?>

Hey Codee - I think a plain:
<?php echo $galleryRecord['paypal_code']; ?>
...should work.  

Another thing to look for is to make sure "Disable auto-formatting" is checked in the text box settings.  The auto-formatting can cause trouble with code.  

Let me know if you're still having trouble and we'll figure it out.

Thanks,
Robin