Support

Admin Tools for WordPress

#37441 HOw to Allow PayPal Through Firewall

Posted in ‘Admin Tools for WordPress’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

WordPress version
6.0
PHP version
7.4.29
Admin Tools version
1.5.7

Latest post by nicholas on Wednesday, 27 July 2022 04:31 CDT

tmichel

I have a donation plugin called GiveWP and there is a donation form that uses PayPal via an iframe.The client can't afford the $200/mo. for secure hosting in order to maintain PCI compliance so I am forced to use the PayPal iframe option.

the problem I am having is that the form fields that are provided by PayPal are not working, i.e. when I enter a valid PayPal email address I get an error message that I haven't entered a valid PayPal email address. When I check the box for "Agree to Terms" no check-mark appears in the box. I assume this is because PayPal is being blocked from responding to inputs.

There are no errors on the page, at least none displayed in the Firefox inspector console.

I also assume that I probably have to set exceptions for the form URL in WAF as well.

Can you provide me any kind of a heads up as to what to look for and what exceptions I need to set.

Oh yes the form I am having the issue with is https://gvcporphans.org/index.php/global-village-childrens-project-gvcp-donate/

nicholas
Akeeba Staff
Manager

I am trying to access the page you linked me on July 8th, 2022 at 06:15am UTC but I am getting a WordPress error message about a critical error. As a result, I can't really tell you what exactly is going on so I'll have to speculate.

Generally speaking, I very strongly recommend against using IFRAMEs when loading content from a different domain or even subdomain (different origin, as the browsers call it). Modern browsers have been restricting what a IFRAME from a different origin can do. I understand why they're doing that with GiveWP but this is a solution which will stop working.

In your case I speculate that the IFRAME may not work correctly because you have enabled the “Protect against clickjacking” option in Admin Tools' .htaccess Maker. This will indeed tell browsers to limit what an IFRAME can do. Disable this and regenerate the .htaccess file through the .htaccess Maker.

That said, this is a problem which will only get worse over time as browsers will eventually act as if “Protect against clickjacking” is always enabled. The only workaround to that is using a fundraising / donations platform like FundraiseUp which does indeed process the donation without leaving the site. It can also do some smart stuff like proposing a different default donation amount (and reorder differently the higher amounts) depending on the type of device the site is being accessed to. You can also become a FundraiseUp partner to get a share of the (small) fee they charge — this makes sense if you are doing lots of non-profit sites.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

tmichel

Nicholas, what I found out, yes, thirteen days later, was the an add-on for GiveWP was causing https://gvcporphans.org to crash. I used the trick of renaming the plugins folder to plugins.hold, logging into the back end, access plugins, logging back out, renaming plugins.hold back to plugins, and then logging back in and reactivating each plugin one at a time until I found the one that caused the site to crash. It was the givewp-text-to-give SMS plugin that was causing the site to crash which was called by their main PHP file give.php.

I have disabled the "Protect against clickjacking" setting in .htaccess maker, and recreated the .htaccess file, but still some of the check boxes on the donation form will not respond to clicks and my PayPal email address isn't recognized as having been inputed

I spent a lot of time getting GiveWP to look good on this site and didn't want to start over with your suggestion.

The form in question is found at https://gvcporphans.org/index.php/global-village-childrens-project-gvcp-donate/

One of the input fields that isn't working is: <input name="give_agree_to_terms" class="required" type="checkbox" id="give_agree_to_terms-278" value="1" required="" aria-required="true" tabindex="1">

The other email address input field is: <input class="give-input required" type="email" name="give_email" autocomplete="email" placeholder="Email Address*" id="give-email" value="[email protected]" required="" aria-required="true" style="padding-left: 33px!important;" tabindex="1"> Notice the email address is recognized, and this is a valid PayPal email address, but for some reason, probably because a call is made to PayPal from within the iFrame, that it is getting blocked.

There isn't anything special about these input fields except that they are contained in an iFrame, because GiveWP said that this is the only way that they could ensure that their forms would look good, out of the box, regardless of what template a user chose, with just a basic installation and configuration. I prefer to handle the CSS myself, but that is the way they did it, I actually over-rode their CSS anyway.

I know the issue with iFrames going forward, but I just want to get this working for the moment and then if the client has budget, provide a better solution down the road.

Is there something else in .htaccess I can disable or something in WAF I can disable?

P.S. I can't use the PayPal Donation method, because that requires DSS-PCI compliance and the client can't afford the $200/mo. for a server that meets PCI compliance standards, so I am forced to use the old PayPal Standard payment method..

 

tmichel

Something went wrong with the form again. I have been trying to understand how to make a PayPal Standard custom check out experience, and I must have set something in the account that is causing the entire website to be displayed in the form recursively.

I am really getting tire of this. I want to work on some Ruby on Rails projects in order to update my skills so that I can remain competitive in the market place and I find myself bogged down with this WordPress stuff.

I will get this fixed tomorrow sometime after I run five miles to clear my head.

nicholas
Akeeba Staff
Manager

That form is truly a mess. The checkboxes are not checkboxes, they are SPAN elements. I would assume that there is some JavaScript which is meant to simulate making them look as checkboxes. Two major fouls here. One, this form is inaccessible to people who are using assistive devices, be it for vision or motor disabilities. Two, that JavaScript seems to be using a legacy version of jQuery, it's not blocked by Admin Tools' .htaccess Maker but does not work either.

Now, I am trying to debug that page and I see that there is no click handler for that pseudo-checkbox. I also see that this is definitely not a PayPal form, this is GiveWP's form with code loading entirely off your site. So this is not a case of blocking something third party.

I also checked the HTTP headers, the only thing which can be modified by the .htaccess Maker generated .htaccess code, and see nothing which could block JavaScript. I also see that all static resources are loaded just fine, nothing is blocked.

At this point I am unsure if the .htaccess Maker has anything to do with it.

Edit your .htaccess file and remove everything between

# BEGIN AdminTools

and

# END AdminTools

This undoes everything the .htaccess Maker did to your .htaccess file.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

tmichel

Thanks so much for taking a look at the form and pointing out the weaknesses and likely reasons it isn't working.

I removed the admin tools section of .htaccess and though it did allow the PayPal plugin to work, those form fields managed by jQuery as still not working.

I will work with GiveWP to resolve this. You have already done far more than just answer questions about Akeeba Admin Tools Pro.

That form was working at one time, so it must be me that did something to cause the JavaScript not to load.

One last thing, do you think that there could be anything in WAF that could cause the JavaScript not to load?

nicholas
Akeeba Staff
Manager

> One last thing, do you think that there could be anything in WAF that could cause the JavaScript not to load?

Nope. The Web Application Firewall can't block the JavaScript, I did check. The only thing which could have caused a problem was the .htaccess Maker but we've ruled it out.

In fact, thinking that something in the .htaccess Maker may be blocking the JavaScript I checked the Network tab of the developer tools in the browser and saw that it loads correctly. I also checked the console at maximum verbosity (all messages) and there was nothing implying that the JavaScript does not execute. There were just the typical warnings from jQuery Migrate saying that the JavaScript was using legacy jQuery code.

I even went into JavaScript debugging, adding breakpoints at the click events of these SPANs-which-pretend-to-be-checkboxes. I didn't see any events attached to them which might change their CSS class.

I think, without being sure because I never dove that deep, that the GiveWP JavaScript code may be using jQuery to attach events but for some reason that does not work. The typical reasons — again, without being absolutely certain that this is the case here! — is either using deprecated jQuery code or targeting the wrong selectors. We had seen similar issues with our JavaScript code several years ago when we were using jQuery. We moved to vanilla JavaScript and stopped having those issues. Our JS code also got significantly less bloated and much, much faster.

I would recommend asking GiveWP for support. They know far better than either of us how their JavaScript works and why they're using a fake checkbox. They should be able to figure out why it doesn't work. All I can tell you is that there is something rotten in the kingdom of JavaScript :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

tmichel

You know, I need to run those troubleshooting techniques, just as you did, before submitting tickets. That way I can rule out the majority of the possibilities before taking up your time.

Thank you so much, however, for ferreting this out.

I will submit a ticked to GiveWP just as soon as I can gain access to the gvcporphans.org GiveWP account. The last time I submitted a ticket for this their only suggestion was to read the documentation.

 

nicholas
Akeeba Staff
Manager

No worries :) I have no problem helping troubleshoot issues when the client approaches the issue reasonably and methodically, exactly like you do.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

tmichel

Don't know what I did, perhaps regenerating the .htaccess file, perhaps a couple of auto updates, but the form is working, though the pseudo check boxes still don't sport an actual check mark, the borders are just changed from one pixel to two pixels.

People can, however make donations.

Akeeba Admin Tools does not seem to have anything to do with the form not working, as far as I can tell, everything in Admin Tools is enabled except for click jacking prevention.

nicholas
Akeeba Staff
Manager

It sounds like there might have been something in the .htaccess not put there by Admin Tools which may have interacted with the way GiveWP redirects to PayPal.

Just something you need to keep in mind. Admin Tools in Joomla generates a new .htaccess file, completely replacing anything you had before. Admin Tools in WordPress cannot (and must not) do that. WordPress has its own .htaccess management API. We can only touch our own section of the .htaccess file. WordPress itself manages a part of this file and other plugins manage their own sections in that file. This is why things get very hairy when dealing with WordPress; we can't know how third party plugins will affect the way your .htaccess file will work! Some (okay, most) plugins are written in a very laissez-fair manner by people who don't really understand how servers work under the hood, leading to some very precarious if not outright icky code.We've seen.... things. It's possible that an automatically installed update or the very process of regenerating the .htaccess file fixed some icky code.

As for the fake checkboxes, this does look like a JavaScript issue with GiveWP. Now, if they don't care to troubleshoot and only tell you to read the documentation, well, nobody can help with that. Eventually you'll have to replace that with a different donations solutions like the one I recommended above. These third party solutions load all assets from their own CDN, minimising the chance of conflicts from misbehaving plugins. The downside is that they load from a third party CDN which makes Google Lighthouse complain a bit but not enough to ding your site's performance score significantly.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

tmichel

This is what I installed on the Joomla front. Have had no time to develop out my own CSS Grids template which I will do before years end. I keep Bootstrap 5 for plugin and component comparability and for quick form generation, but I use CSS Grids for all page layouts, it is part of the browser, no JavaScript required and it has become quite elegant.

https://sagacicweb.com/index.php

I am also going to create some Ruby on Rails websites as well.

Looks like I will also be using python to develop some AI apps; need to cut my teeth on that as well.

 

nicholas
Akeeba Staff
Manager

Good luck! I know next to nothing about Ruby and me and Python have agreed we don't like each other (last time I used a language with syntactic meaningful whitespace was Fortran 77 back in my university days and I didn't exactly enjoy the experience).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!