Can't place a contribution widget on a Contribution Page
When you attempt to place a contribution widget on its own contribution page in the "Inroductory Message" section, you get the error:
Illegal characters in input (potential scripting attack)
I confirmed this is a regression by replicating the problem on the Drupal demo site (4.7) and confirming it didn't exist ion the Joomla site (4.6). I'm pretty sure it didn't happen earlier in the 4.7 cycle either.
Activity
Hmm - I'm not sure we should treat blocking script as a regression @colemanw @seanmadsen @seamuslee is this worth addressing or should we close it (we can reopen if someone chooses to work on a patch).
Wow this is very interesting! Here are some of my thoughts and findings:
- I am able to reproduce this behavior on a local dmaster.
- I'm not sure what I want CiviCRM to do here.
- On one hand, editing a contribution page requires the "Administer CiviCRM" permission, so a case could be made that all users with that permission should be trusted. And, adding a thermometer to a contribution page seems like a basic functionality that any fundraising software should have.
- On the other hand, if we're not trusting users with "Administer CiviCRM", then we should be blocking all scripts, and I'd be inclined to close this issue. But it seems ridiculous for us to have any kind of "thermometer" if the very place users are most likely to need it is the place that we won't let them put it.
- The code which adds that form rule is super generic and hasn't been changed in a long time. So I'm curious why this worked in 4.6, and also very curious to find a specific 4.7 version where we could observe different behavior.
- I looked through our Security and Release Planning doc to see if I could spot an advisory that seems like it could have caused this regression. The doc goes back to March 2016 and didn't have anything relevant.
- Also worth mentioning CRM-20909 here, although I'm being intentionally vague since that issue is not yet published.
mentioned in issue #36 (closed)
mentioned in issue #65 (closed)
added sig:bug triaged type:request labels
mentioned in issue #339 (closed)
@Edselopez were you able to add the basic thermometer to the Civi 5.x Joomla contribution page last week without trouble, or was part of your custom work doing a workaround for this problem?
@JoeMurray @Edselopez keen to hear what you found out
We can reproduce on dmaster - running 5.1.alpha1 - it will block - we don't have any examples of this not working in the past. We did notice that chrome would block the post request,
"This page isn’t working Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers and credit cards). Try visiting the site's homepage. ERR_BLOCKED_BY_XSS_AUDITOR "
This appears to be triggered by this line
<script type="text/javascript" src="https://dmaster.demo.civicrm.org/sites/all/modules/civicrm//extern/widget.php?cpageId=3&widgetId=2&format=3"></script>However firefox allowed posting which then triggered this alert:
I'm not sure if this is within the scope of this issue - and perhaps it's probably better implemented as an extension but from a user perspective - perhaps having a check box on the page settings that when ticked includes the scripts for the widget, and provides the user with the ability to copy the required html+styles into their desired location on the intro or the footer? That way we retain the security of blocking user added scripts onto contribution pages? As a work around in the interim using the CMS to display content on that page (for example a block in drupal - should allow the widget to be displayed).
Edited by luke.stewart
FWIW the workaround on Drupal is to put the thermometer into a block.
An extension that would be quick to write, but I haven't found a client to fund, would put a "thermometer.png" file into the CKEditor uploads folder. The contribution page will have JS that looks for that image and will replace it with the actual widget. This would allow precise placement inside the intro text that a block won't.
Thx Jon, yes we are looking at using a block, and putting all the Intro text in to it in order to place the widget in to the position within the text that they were wanting
Edited by petednzmentioned in issue #613 (closed)
mentioned in issue #723 (closed)
mentioned in issue #978 (closed)
mentioned in issue #1015 (closed)
mentioned in issue #1183 (closed)
mentioned in issue #1427 (closed)
Hi Jon,
Do you think we could close this issue in favour of:
- Your recommendatino to place the widget in a Drupal block
- The contributeprogress extension?
-
Ah, that reminds me, there is this question here:
https://civicrm.stackexchange.com/questions/18748/is-it-possible-to-create-a-progress-bar-widget-for-a-contribution-page/33561It does not mention Drupal blocks, but I added a comment that links to this issue.
-
@justinfreeman They can use the extension?
@bgm "use the extension" is not a user friendly solution, which is why I commented above.
-
As an alternative solution to actually fixing the problem, here is what I suggest:
- Place a notice on the Widget tab, above the HTML code which states along the lines of: "You can use this code on an external website. This code cannot be embedded on the CiviCRM Contribution page."
- Provide a checkbox on the first tab, below the Goal Amount field which enables the user to enable the Widget to be rendered on the Contribution page without having to copy and paste the Widget embed code.
mentioned in commit 5dab22cf
mentioned in commit 76edc0b3
mentioned in issue #2089 (closed)
mentioned in issue #2377 (closed)
mentioned in commit 081629dc
mentioned in issue #3698 (closed)
mentioned in issue #4267
mentioned in issue #4390 (closed)
mentioned in issue #4798 (closed)
mentioned in issue #5284 (closed)
