We are trying to leverage the FullStory system into our site. However, we have a TON of PII data, and we would like to avoid having the explicitly denote each individual hard coded data as PII.
I was thinking if there was a way to create a global filter for our mustache binding expressions, we could invert the need, only unmasking fields that we deem acceptable to provide to FullStory.
for example:
Full story would require me to write the following in my templates:
<template>
<h1 class="fs-mask">Hello {{user.Name}}</h1>
<h2>please checkout {{newFeatureText}}</h2>
</template>
I write a component that looks like this:
<template>
<h1>Hello {{user.Name}}</h1>
<h2>please checkout {{newFeatureText | nonPII}}</h2>
</template>
This way we don't accidently miss masking information in our full story recording.
Have you considered inverting this and asking to turn on the "Private by Default" option? If there were any non-PII data you really wanted to see in your recordings you could then unmask just that data?
https://help.fullstory.com/hc/en-us/articles/360044349073-FullStory-Private-by-Default
Related
So I am trying to build something for my store but a few things are somewhat unclear.
If I need to save some user settings do I need my own backend just
for that app specifically? For simplicity sake, I want build an app
to save and display a custom message in cart-template.liquid.To
achieve that, I think my app should make a request to my backend (let
say, on heroku) and save it in some db that app is using?
How do I retrieve that data in cart-template.liquid? I guess I
build a snippet that calls a public endpoint of my backend that
returns that saved message using fetch() or maybe axios.get and
embed it using {% render 'fetch-custom-message-snippet' %} ?
Say I ask for user input, ie. "Engraved message" and the form is in cart-template.liquid,
of course. The following snippet is used:
<p class="line-item-property__field">
<label for="engraved-message">Engraved message</label>
<input id="engraved-message" type="text" name="properties[Engraved message]">
</p>
How do I make sure that bit of information is captured and passed to me? I guess I want to see it somewhere in the order details.
If I need to save some user settings do I need my own backend just for that app specifically? For simplicity sake, I want build an app to save and display a custom message in cart-template.liquid.To achieve that, I think my app should make a request to my backend (let say, on heroku) and save it in some db that app is using?
Yes, you need your own backend. Your application alone is responsible for storing its own information (there are some exceptions like a special order field which I show you below) - that typically infers a database that back ups your service and holds your data. Please check out this thread as you can find lots of valuable information there.
Regarding cart-template.liquid I'd suggest taking a look at the official "Shopify Developers" documentation. All information you're allowed to display and request are neatly explained and ordered there.
How do I retrieve that data in cart-template.liquid? I guess I build a snippet that calls a public endpoint of my backend that returns that saved message using fetch() or maybe axios.get and embed it using {% render 'fetch-custom-message-snippet' %} ?
Once again there are good guides out there. I suggest taking a look at this blog post which goes into in-depth on this topic. Shopify's documentation about the Liquid template language is also highly advised to be read.
How do you retrieve that data? According to this specific example any input will be supplied to your order page in the Shopify admin. For example:
<label for="CartNote">Special instructions</label>
<textarea name="note" id="CartNote">{{ cart.note }}</textarea>
*taken from https://shopify.github.io/liquid-code-examples/example/cart-notes*; shows a Special instruction label and textarea for users to submit details about the oder - you will get this data on, as mentioned, the order page in the Shopify admin.
Say I ask for user input, ie. "Engraved message" and the form is in
cart-template.liquid, of course. The following snippet is used:
[...] How do I make sure that bit of information is captured and passed to me? I guess I want to see it somewhere in the order details.
see above
//EDIT:
To prevent any confusion: It seems like you want to develop a custom app just for personal usage and not to publish it in the Shopify App Store - in this case you most often than not don't need an external database; e.g. the example you provided with a simple order request which is easily doable through Shopify's examples.
For your specific case this code snippet (I modified your original example to fit the case - it's not a full cart-template.liquid obviously; in this case the file is called cart.liquid):
<label for="engraved-message">Engraved message</label>
<textarea name="message" id="engraved-message">{{ cart.note }}</textarea>
//EDIT 2:
The link - shared by another user in this thread, namely #Simas Butavičius - is actually kind of useful if you have problems with the customization process in general, i.e. if you want to revise some basic concepts or want to check how to implement the code snippet from above in the whole structure of your website I'd advise to skim through this site.
Needless to say, there are hundreds of good tutorials, questions regarding the same "issue" or other resources in general.
I suggest for further reading purposes to check out some of these links and guides (some may be mentioned above):
https://shopify.github.io/liquid-code-examples/example/cart-notes
https://shopify.github.io/liquid-code-examples/example/checkout-form (! very good in-depth example)
https://www.christhefreelancer.com/shopify-liquid-guide/
https://shopify.dev/docs/themes/theme-templates/cart-liquid
https://shopify.dev/docs/themes/liquid/reference
https://www.shopify.com/partners/shopify-cheat-sheet (! helpful cheatsheet)
https://community.shopify.com/c/Shopify-Design/Cart-Use-cart-attributes-to-collect-more-information/td-p/613718
https://community.shopify.com/c/Shopify-APIs-SDKs/Add-custom-input-fields-to-cart/td-p/154710
https://community.shopify.com/c/Shopify-Design/Product-pages-Get-customization-information-for-products/td-p/616503
Here is the tutorial specifically for creating custom shopify input field for getting engraving information: https://community.shopify.com/c/Shopify-Design/Product-pages-Get-customization-information-for-products/td-p/616503
I added a new type of image format 3d in my commercewebservices-spring.xml.
I want to access this new format in my product-images.component in Product Detail page, something like:
<ng-container *ngIf="mainImage$ | async as main">
<div *ngIf="main.3d as 3d">
But I get an 'unresolved variable', so I guess I need to add this new format elsewhere in spartacus or there is something I'm missing.
Could anyone help with this? Thanks a lot in advance.
there are a couple of steps you'd need to do:
Make sure that the image has been exposed in the OCC api. The OCC endpoints has a configurable fields mapping, that you can use to control the response. You need to verify if your 3d property is exposed. I'm also not sure if you add this as a new property to the backend product model and if it's a media container or a media. But I assume you figure that out.
Make the Spartacus adapter aware of the new field mapping, this is documented in https://sap.github.io/spartacus-docs/connecting-to-other-systems/#configuring-endpoints. You basically configure the required field, so that the data is requested and automatically stored inside the product state in Spartacus.
Implement the UI. I'm not sure if you like to add the 3d image as part of other thumbs/images, or that you need a dedicated UI for 3d images. If it's completely replacement of the product images, the easiest thing is to replace the current cms ProductImagesComponent mapping, i.e.:
providers: [
provideDefaultConfig(<CmsConfig>{
cmsComponents: {
ProductImagesComponent: {
component: Custom3dImagesComponent
}
}
})
]
This is documented at https://sap.github.io/spartacus-docs/customizing-cms-components/
There are alternatives for each step, but these are most straightforward.
If you look at ProductImageNormalizer (https://sap.github.io/spartacus/injectables/ProductImageNormalizer.html#source) you can see that the mapping is slightly different: either image.primary.<format> or image.gallery[n].<format>
Also, bear in mind that the format codes used in the DTO are mapped in the SAP Commerce side. There is an ImageFormatMapping concept, which maps from the actual media format used in the data model in SAP Commerce to the format strings used in the DTO.
I'm using a Drupal site which seems to add FOAF by default, therefore an image would have the following tag:
<img typeof="foaf:Image" src="....
I'm trying to setup Rich Snippets and on a wrapper I have this div:
<div typeof="schema:Recipe">
and then I have schema markup on all fields within this.
Using Google Search Console it pulls in all the other values but I've had trouble with the Recipe Image specifically. I'm wondering if there's a conflict going on? How do FOAF and Schema act with each other? What is FOAF even used for?
Google Structured Data tool is only pulling the Image type in, whereas I'd assume it should by default pull the src URL in too?
For reference the Recipe I'm testing is here: http://www.simplybeefandlamb.co.uk/recipes/pulled-beef-brisket
I'm building a commenting system. The comment is sent to a stored procedure in SQL.
What is the best way to prevent html, script, or SQL queries to be injected into the table? I want to do this server-side.
For example:
INSERT INTO MyTable (UserID, Comment) VALUES (#UserID, #Comment)
What would be the best way to deal with the comment field and remove any potential HTML, Scripts, or Queries to prevent attacks? Or to drop the insert if it contains certain characters? Eventually I want the user to be able to insert a link though, which would render in on the site as a clickable link...
Just new to this security stuff and obviously it's important.
Thank you so much.
Use parameterised statements (as you appear to be doing) with parameters for all variables and you have nothing to worry about from SQL injection.
HTML and JS injections are a concern to do with the page output phase, not database storage. Trying to do HTML escaping or validation in the database layer will be frustrating and fruitless: it's not the right place to be dealing with those concerns, you'll miss or mis-handle data, and the tools for string manipulation in SQL are weak.
Don't think in terms of detecting “attacks”, because blacklists will always fail. Instead aim to handle all text correctly, and then you'll be secure as a side effect of being accurate. Variable text that you drop into an HTML file needs to be HTML-escaped; variable text that you drop into a JavaScript string literal needs to be JS-escaped.
If you're using standard .NET templates, use the <%: syntax to HTML-escape text. Use that as your output tag instead of <%= and you'll be fine. Similarly, if you're using WebForms, use the controls whose Text property is automatically HTML-escaped. (Unfortunately this is inconsistent.) Where you have to generate markup directly, use HttpUtility.HtmlEncode explicitly.
Encoding for JavaScript string literals is a little trickier. There is HttpUtility.JavaScriptStringEncode, but JS strings commonly live inside HTML <script> blocks (making the </ sequence dangerous where it isn't in native JS), or in HTML inline event handlers (where you would need to JS-encode and then HTML-encode as well). It tends to be a better strategy to encode the data you want to send to JS in the DOM using regular HTML-escaping, for example in a data- attribute or an <input type="hidden">, and have the JS grab the value from the DOM.
If you really have to allow the user to input custom markup, then you'll need to filter it at input time to a small whitelist of approved elements and attributes. Use an existing HTML purifier library.
So I have a list present in the template context and I want to apply random and then access an attribute of the resulting object.
So far, what I've read in the template section of the django documentation, filters always have to come after the variable so I understand (even though I tried it anyway) that
{{ my_list|random.attribute }}
won't work.
Right now I'm using a custom filter to access attribute, so I can chain it after any other filter, but what would be the best solution for this?
Use with to give the result another name temporarily.