Hey Rafal,

We have actually disallowed these script tags from being added on the page / group or event description. This is mainly to protect your site from people who try to inject script tags that would mess up your site.

That's not good ... we liked having the convenience of being able to have people click "Pay Now" for the events they were interested in? I would appreciate having that functionality turned back on ... I'm willing to take the risk ...

or please provide me with another way of keeping the payments simple for my users.

Thank you.

Hey Rafal,

By allowing script codes in the event description, you are basically opening doors for hackers to easily manipulate what you see. For instance, I am a developer of EasySocial and I know how to add a script code in an event description in a way that when you as the site admin views the description, it would delete users from your site. That are the sort of risks that you will face when you allow script tags to be inserted into descriptions.

If you are okay with that, I could tweak the code to accept script tags but it's your own responsibility as you have been warned.

I'm not keen on reducing security of my site. However I refuse to accept the fact that we can't allow people to use the paypal button straight from the event.

easysocial should be intelligent enough to allow a form to submit from the description of an event to an outside site without any issues... that form submit is not of any risk to the home site at all.

Why would a user account be allowed to manipulate the database beyond their access level??? It shouldn't matter if they are able to create a form inside a description of an event!... isn't there access level checking beyond the form posts?

If it's possible to submit a form from the description of an event it shouldn't be a big issue to submit one through a simple url query as well ... where is the security then???

please enable the ability for me to add a paypal button to the descriptions of the events. or avail us some other way of adding a paypal buton to events. Thank YOU.

I think I wasn't explaining this correctly to you but let me try to simplify this:

1. In order for you to add paypal buttons, you need to embed script tags on the description.

2. Allowing script tags on the description also means you are allowing users to insert any script tags

3. When I insert a script tag into the event that would simulate your action as a super admin to delete users, there is no prevention for this.

The problem has NOTHING to do with SQL manipulation. It's all about controlling what users are allowed to enter. There is no way for the system to know if the script you are trying to insert is a paypal button or a hack.

is there another way to provide a paynow button on events?

To be honest, I think your best option is to create a custom paypal field and the field only accepts their paypal id or some sort of identifier (form).

Then, during rendering the field, the field app would render the button with the scripts without requiring the user to paste any script tags.

ok ... now we're getting somewhere ... please point me to the documentation that will help me create a custom html field that accepts variables.

You need to develop your own custom field because the existing fields wouldn't allow this to happen since we need to ensure that users are not able to hack the system by injecting malicious javascript codes.

By the way, another quick alternative that I could think for you right now without spending on developing the custom field is for you to edit the file /media/com_easysocial/apps/fields/event/description/description.php and at line 229, comment out the codes below:

$desc = ES::string()->filterHtml($desc);

By commenting this line out, EasySocial will not strip out unwanted html codes when you edit and save from the back end. Also, you need to configure the description field to use "Editor - None" because Joomla's TINYMCE strips out script tags by default, http://take.ms/z2AKO

I commented out the line you told me.

	public function onAdminEditBeforeSave(&$post, &$cluster)

	{

		$desc = !isset($post[$this->inputName]) ? $this->input->get($this->inputName, '', 'raw') : $post[$this->inputName];

	//	$desc = ES::string()->filterHtml($desc);



		$cluster->description = $desc;



		unset($post[$this->inputName]);

	}

But the (action="https://www.paypal.com/cgi-bin/webscr") tag for the <form> is still getting filtered out.

What is the code that you are trying to enter?

I'm simply trying to paste a paypal button <form> into the description of the event. I'm willing to take the risks associated with disabling the html filter in the code as long as that modification is persistent and I don't have to make a code change every time easysocial gets an update.

Please help... this is now becoming both critical and a bit silly that I'm not allowed to have a PayPal button in the description.

Here is an example form for such a button.

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top"> <input type="hidden" name="cmd" value="_s-xclick"> <input type="hidden" name="hosted_button_id" value="FSF342423FC4323"> <table> <tr><td><input type="hidden" name="on0" value="Lightroom WorkShop">Lightroom WorkShop</td></tr><tr><td><select name="os0"> <option value="OCC Members">OCC Members $25.00 CAD</option> <option value="Non-Members">Non-Members $30.00 CAD</option> </select> </td></tr> </table> <input type="hidden" name="currency_code" value="CAD"> <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_paynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"> <img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1"> </form>

edit the file /media/com_easysocial/apps/fields/event/description/description.php and at line 229, comment out the codes below:

$desc = ES::string()->filterHtml($desc);

This didn't work!

Hi Rafal,

I've tested locally to put the code you given above in the event description seems like it was render correctly without strip the html code: http://take.ms/55A9k
Is it possible for you to provide us with the back end and FTP access to your site to check on this issue?

You can add the information needed by edit your first post in the Details section or you can just include your site's access once at http://stackideas.com/dashboard/site rather than needing to keep adding them in your replies

I have added the login site info to the dashboard.

I have edited the file /media/com_easysocial/apps/fields/event/description/description.php on your site and it will work fine now. Please give this a try again.

Please understand that this is a customization and we do not provide support on customizations.

what did you modify? will I have to do this mod every time easysocial updates?

actually I just tested it where I made a test event and pasted this in the description

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="KPSH3XXZHSWR4">
<table>
<tr><td><input type="hidden" name="on0" value="Choose Category">Choose Category</td></tr><tr><td><select name="os0">
<option value="OCC MEMBERS">OCC MEMBERS $25.00 CAD</option>
<option value="NON MEMBERS">NON MEMBERS $30.00 CAD</option>
</select> </td></tr>
</table>
<input type="hidden" name="currency_code" value="CAD">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>

once I hit save this is what resulted in the description.

<form method="post" target="_top"><input type="hidden" name="cmd" value="_s-xclick" /> <input type="hidden" name="hosted_button_id" value="KPSH3XXZHSWR4" />
<table>
<tbody>
<tr>
<td><input type="hidden" name="on0" value="Choose Category" />Choose Category</td>
</tr>
<tr>
<td><select name="os0"><option value="OCC MEMBERS">OCC MEMBERS $25.00 CAD</option><option value="NON MEMBERS">NON MEMBERS $30.00 CAD</option></select></td>
</tr>
</tbody>
</table>
<input type="hidden" name="currency_code" value="CAD" /> <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!" /> <img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1" /></form>

a broken html form I tried it with the admin account and user account .

what did you modify? will I have to do this mod every time easysocial updates?

The file that I have modified is in /media/com_easysocial/apps/fields/event/description/description.php and commented out line 72 and 230 respectively:

line 72: http://take.ms/ZlVOT
line 230: http://take.ms/HKAEA

As for the broken html, I am unable to replicate this:

Before saving: http://take.ms/zMt6P
After saving: http://take.ms/ON6DK

I need this to work from the front end editor ... not from the administrator ... I need my publishers to be able to post the forms as they create the event...

As mentioned in my post above, the hacks only works from the back end, http://take.ms/7IRhA . This would ensure that nobody would abuse the use of embedding scripts on the event.

I have applied the hacks in the same file /media/com_easysocial/apps/fields/event/description/description.php and commented out all possibilities of stripping out html tags by commenting out the lines below:

[gist]
$desc = ES::string()->filterHtml($desc);
[/gist]

Note:
- The hack provided is not supported. You should make a backup of this file in the event you need to upgrade.

- We will not be responsible in the event your users tries to inject hacks using the form.

Hi this is not helpful. Sorry... I'm not happy:(

I need my users to be able to post paypal buttons in the description of the event...in the front end...

Like we have been doing it for years before "you made the app secured".

As per my reply above, I have already added the hacks and the front end now allows users to enter html / script tags, http://take.ms/XlOvu

Making the software secure is our responsibility to ensure that your site is safe. If you really need this, I would suggest that you consider creating a custom field that allows you to only request important details to generate the button and the custom field to be responsible to generate the paypal html codes.

I would love to make a custom field ... but When I tried to look for any documentation I couldn't find any... Are you saying make a custom HTML field in the backend of easysocial? or create one in php?

can I get a couple of examples? I just need a little help... I'm ok with developing something on my own just need a start.

I will look into the suggestions you've made.

In the meantime I confirm that we are now able to post a paypal button in the description of the event from the frontend.

Thank you.

No problem Rafal, glad that your issue is resolved now. Do remember to make a backup of the file before you upgrade in the future too.

Hi, I'm not sure what happen but We can't post an HTML form (paypal pay button) in the event description again.

Probably update to easysocial disabled the hack you've provided for us in the past.

I need a permanent solution to allow my users to use the front end event editor to paste a paypal button (HTML FORM with action pointing to PayPal).

Thank you.