Home › Forums › WooCommerce Personalized Product Options Manager (PPOM) › Javascript disabled: PPOM inputs with additional costs not added to total cost
Tagged: AJAX, Javascript, security, validation
- This topic has 12 replies, 3 voices, and was last updated 5 years, 7 months ago by Jane Brian.
-
AuthorPosts
-
December 12, 2018 at 9:35 pm #10095LuckyParticipant
A client’s site with this plugin installed has had customers submit orders have the PPOM inputs with additional costs attached to them as a filled-out field, but they are not added to the total. We have isolated the issue to be when a user has Javascript disabled. We’ve been able to replicate the issue, so we know it’s caused by this. We’ve disabled anything that uses AJAX, but still, the issue persists.
Additionally, in the process of testing this, we discovered one of the Product Metas we have had the BETA AJAX-based validation setting enabled, and if a user has javascript disabled and clicks add to cart without filling out required fields, it gets added to the cart. The server does not double-check user input with this setting enabled, and that’s both problematic for our client, and dangerous if it isn’t verified for malicious input either. We’ve disabled the setting, but you definitely need to fix this issue if you ever want this to be a non-BETA feature.
This shouldn’t be happening, and it makes me worry if anything is checked server-side. If a user can add on additional costs without this plugin verifying that those costs have been added to the total price, they could get added changes for free if the client is busy and doesn’t check the order price. If the user bypasses the javascript protections in place when AJAX verification is enabled, the server should throw send them back to the page but with an error state.
This needs to be fixed soon, so clients don’t need to contact every customer that sends in a bad order. It’s obvious your server-side verification isn’t robust, and there’s no way for me to trust your security if simply disabling JavaScript breaks something as basic as verifying that anything that should be done client-side on the server. For all I know, a malicious user could bypass your protections and send in a much lower price than what they actually ordered.
December 15, 2018 at 8:08 am #10109nmediaKeymasterHi Lucky,
Can you please share your product page URL? We are looking into this issue and get back to you more results.
- This reply was modified 5 years, 12 months ago by nmedia.
December 17, 2018 at 4:11 pm #10114LuckyParticipantSure, here’s one of the product pages. The Beta feature for Ajax validation is off, so the only thing you can check is the additional cost not being included.
Simply disable JavaScript, fill out required fields, and make sure you check the “Is This A Rush” checkbox. Once you add it to cart and look at the cart, you’ll see the issue. If you select “1-sided”, “250”, and “NA”, the price should be $53 when the rush checkbox is checked, but will show $33 if you have JavaScript disabled.
Please let me know if you need to know more or if you figured out the issue and will fix this.
December 17, 2018 at 4:19 pm #10115nmediaKeymasterHi,
Yes I am working on this for last couple of days and almost ready to launch but better if I send you beta version 15.6 before lanuch so you can test, please let me know your email.
December 17, 2018 at 4:39 pm #10116LuckyParticipantPlease delete this message after I post it since I don’t have the ability to do that and would rather not leave it where anyone with an account here can view.
- This reply was modified 5 years, 11 months ago by nmedia. Reason: email removed
December 18, 2018 at 5:08 am #10118nmediaKeymasterThanks, sure. I am sending you version 15.6 via wetransfer. Please remove free/basic version and installed this one.
December 18, 2018 at 5:02 pm #10119LuckyParticipantOkay, I’ve checked this beta plugin, and while you may technically be stopping the issue for the seller, it doesn’t help the user at all.
I guess I figured you’d fix it by doing the calculation server-side and using that to add it to cart, or to at least suggest the user enable javascript for the form to work. The warning is in slightly broken English which would also make the user feel like the site is less trustworthy. If you are only going to warn the user and not do the cost calculation server-side, at least change the warning message to something like “Sorry, an error has occurred. Please enable JavaScript or contact site owner.”
Hopefully, you can smooth this out a bit more before launch, I don’t want to scare away users with a message that confuses them more than helps.
December 19, 2018 at 4:25 am #10122nmediaKeymasteryes the message is really bad and thanks for your feedback. Actually we have worked prices calcuations so hard with existing system and price are calculated on server side based on options selected. So I don’t want to change prices calculations for now and rather show a message to user.
And how you like the new Admin UI?
December 20, 2018 at 12:13 am #10133LuckyParticipantThe UI is fine. It looks a little less utilitarian, which is good. I’m not trying to be rude, but I am just focusing on fixing the issue, so once the update rolls out the UI might mean more to me. Please let me know when this update is released.
December 20, 2018 at 3:51 am #10135nmediaKeymasterSure, it will be released by today.
January 11, 2019 at 4:28 pm #10294LuckyParticipantOkay, I really don’t like this. I specifically asked you to delete the message with my email from this thread. Even worse, this post is linked to from the changelog, leaving it even more public than it already is. I don’t want it exposed to spam.
Remove my email @nmedia
January 13, 2019 at 5:31 am #10302nmediaKeymasterHi Lucky,
Sorry, we just removed your email.
April 30, 2019 at 11:30 am #12085Jane BrianKeymasterHI
It has been a long while for this topic, so we are closing this. -
AuthorPosts
- The topic ‘Javascript disabled: PPOM inputs with additional costs not added to total cost’ is closed to new replies.