Add a PayPal shopping cart to your SmugMug galleries

24567

Comments

  • TalkieTTalkieT Registered Users Posts: 491 Major grins
    edited September 17, 2013
    Yaypie - You're doing a brilliant job of sounding a voice of reason while still toeing the corporate line :-)

    Look, I do get what you're saying, and I know it can't be easy, but the Smugmug policy of concealing developments is really starting to wear thin - especially when even the features you do end up developing seem to take years, not weeks or months. The recent 'features' since new SM launch don't really count either... they are tweaks.

    Your primary metric is never going to be about making all your customers happy... I just want an open, honest answer as to whether Smugmug is prepared to alienate (even further) the long term users that relied on Javascript for features Smugmug HAD NEVER SHOWN ANY INTEREST IN DEVELOPING.

    I honestly feel that bit needs emphasis. I asked for Paypal and foreign currency support for about 5 years before implementing paypal myself and when foreign currency support was delivered, it was lame and kludgey.

    As Lamah has mentioned, anything can be used as an attack vector if you allow any HTML at all.

    As for a solution? Well, you clearly have a per user flag for being allowed to use Javascript already. All you need is a method to vet users. Might I suggest anyone that's already been using it for years on old SM without using it for nefarious purposes be added to that list, with a suitable stick ready to smack them down if they suddenly decide to become a nasty hacker?

    Doing that would get rid of 95% of the current complaints I'm sure. Evaluating New SM now, as a greenfields option it looks great, but with the perspective of having many of my own feature extensions taken away from me because you don't trust me not to hack other users feels horrible.

    Cheers - Neil G
    --
    http://www.nzsnaps.com (talkiet.smugmug.com)
  • AdamNPAdamNP Registered Users Posts: 178 Major grins
    edited September 17, 2013
    Baldy wrote: »
    both Google Calendar and AdSense are in test (AdSense is a pain to test so it will probably take longer than Google Calendar).

    The heroes have received many angry emails about AdSense since launch and I think the anger comes from imagining that we don't want ads on the site or we want a cut of the action. Actually, we just want to be more secure and to make the solution available to more people like it will be if it's built in. Our solution is not going to give us a cut.

    I have yet to see anyone give even a slightly credible explanation of how the Adsense code is a security threat. Millions and millions of sites use it, from personal blogs to sites that would make FAR more tempting targets for hackers than SM. If running Adsense on a webpage is a security risk, we may as well shut down the internet right now. It's an excuse.

    And how is Adsense a pain to test? It's some of the most widely used and vetted Javascript in the world. Can't you just whitelist script loaded from this URL or domain?

    <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js">

    What am I missing? Why is this hard? I am no expert on Javascript at all, but I find it ludicrous that Adsense is being presented as a security risk.

    [edit] And my "anger" has nothing to do with any of the things you mentioned. My anger is solely because I am losing real and measurable income every SINGLE day that you guys drag your feet and act like a very simple issue is this huge problem.
  • yaypieyaypie Registered Users Posts: 46 Big grins
    edited September 17, 2013
    Lamah wrote: »
    Okay, well in that case I'll modify this extension so that it no longer uses <form> elements, and everybody wins...

    Sounds great!
  • TalkieTTalkieT Registered Users Posts: 491 Major grins
    edited September 17, 2013
    yaypie wrote: »
    Sounds great!

    You do realise that you just fell into a trap right? If he posted that it means he already has a workaround that can accomplish the same thing - and you'll categorise it as a security risk.

    (Well, that's how I read it anyway!)

    Cheers - N
    --
    http://www.nzsnaps.com (talkiet.smugmug.com)
  • thenickdudethenickdude Registered Users Posts: 1,302 Major grins
    edited September 17, 2013
    AdamNP wrote: »
    I have yet to see anyone give even a slightly credible explanation of how the Adsense code is a security threat.

    The adsense code itself isn't a threat.

    The issue is that when you embed Adsense onto your page, Google gives you a big block of arbitrary JavaScript code to add to the page which configures and loads your adverts. There are even a bunch of additional options you can add on to that code for special cases and features.

    Because that is arbitrary JavaScript code, it's basically impossible to validate to ensure that it isn't doing anything tricky. What SmugMug has to do instead is create a form you can fill out where each of the things that was in your advert's configuration can be entered, so that they can generate the embed code themselves, now knowing that it can't contain anything nasty.
  • AdamNPAdamNP Registered Users Posts: 178 Major grins
    edited September 17, 2013
    Lamah wrote: »
    The adsense code itself isn't a threat.

    The issue is that when you embed Adsense onto your page, Google gives you a big block of arbitrary JavaScript code to add to the page which configures and loads your adverts. There are even a bunch of additional options you can add on to that code for special cases and features.

    Because that is arbitrary JavaScript code, it's basically impossible to validate to ensure that it isn't doing anything tricky. What SmugMug has to do instead is create a form you can fill out where each of the things that was in your advert's configuration can be entered, so that they can generate the embed code themselves, now knowing that it can't contain anything nasty.

    That's actually what I assumed they were doing. I would be presented with a form asking ad ID, publisher ID, etc. What I do NOT understand is why that is a difficult thing to do, or why it needs months of investigation or planning. It seems quite basic.

    [edit] and btw, thanks for the reply. You just said more in one short reply than the entirety of the SM team has said about this since launch. It's appalling how horrific their communication and transparency is.
  • yaypieyaypie Registered Users Posts: 46 Big grins
    edited September 17, 2013
    TalkieT wrote: »
    You do realise that you just fell into a trap right? If he posted that it means he already has a workaround that can accomplish the same thing - and you'll categorise it as a security risk.

    Taking away simple links would be going too far toward the "blank white page" side of the security tradeoff spectrum that I mentioned earlier. Lamah is right that someone can just link to a phishing site instead of using a form, but the distinction is an important one, for reasons I'll be happy to go into once we've shipped a few fixes. :)

    The gist of it is that when it comes to phishing, the problem is sometimes more psychological than technological.
  • thenickdudethenickdude Registered Users Posts: 1,302 Major grins
    edited September 17, 2013
    AdamNP wrote: »
    What I do NOT understand is why that is a difficult thing to do, or why it needs months of investigation or planning. It seems quite basic.

    I doubt the timeline between starting work on this and releasing it will actually be months long.

    You could definitely spend a lot of time adding features like the ability to automatically load the correctly-sized ad banner for the device you're using, particularly on mobile phones where the standard-size banner will probably severely break the site layout. That'd probably consume a lot of testing time.
  • AdamNPAdamNP Registered Users Posts: 178 Major grins
    edited September 17, 2013
    Lamah wrote: »
    I doubt the timeline between starting work on this and releasing it will actually be months long.

    You could definitely spend a lot of time adding features like the ability to automatically load the correctly-sized ad banner for the device you're using, particularly on mobile phones where the standard-size banner will probably severely break the site layout. That'd probably consume a lot of testing time.

    I don't see the need for anything like that. My Adsense code is 9 lines long and has a total of 4 parameters. The rest can be removed and the ad still functions. That's an insanely easy form to make.

    google_ad_client
    google_ad_slot
    google_ad_width
    google_ad_height

    I have no interest in SM deciding what banner to show, or which size to use. The size is defined by the ad slot I give. If it breaks my own layout, then so be it. That is not SM's problem.

    Anyway... I know this thread isn't about Adsense, so I don't mean to hijack. It would be better discussed in the huge Adsense feature request thread :)
  • mbonocorembonocore Registered Users Posts: 2,299 Major grins
    edited September 17, 2013
    AdamNP wrote: »
    That's actually what I assumed they were doing. I would be presented with a form asking ad ID, publisher ID, etc. What I do NOT understand is why that is a difficult thing to do, or why it needs months of investigation or planning. It seems quite basic.

    [edit] and btw, thanks for the reply. You just said more in one short reply than the entirety of the SM team has said about this since launch. It's appalling how horrific their communication and transparency is.

    Adam,

    I have kept you updated to the best of my ability with regards to the AdSense content block. I really don't think you know how many people I annoy here on a daily basis about this (and many other issues brought up in Dgrin). I apologize it hasn't been implemented as quickly as you would like, but as I mentioned in the other dedicated thread for AdSense, this is not the only feature or bug we are working on fixing. As Yaypie states, it's a balancing act for not only security, but for feature requests, bugs, etc. We have to intake countless requests a day, and we do everything we can to prioritize them based on a large number of factors. While this was very high, it still had to be prioritized accordingly.

    Again, I apologize.
  • arakneearaknee Registered Users Posts: 22 Big grins
    edited September 17, 2013
    Here is the code and the file name does not come accross.











    BUY PRINTS

    poster A4 $14.00 AUD
    poster A3 $24.00 AUD
    poster A2 $36.00 AUD


















  • thenickdudethenickdude Registered Users Posts: 1,302 Major grins
    edited September 17, 2013
    Hm, I added that code to my gallery using my PayPal extension and it actually worked fine for me.
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited September 17, 2013
    AdamNP wrote: »
    And how is Adsense a pain to test? It's some of the most widely used and vetted Javascript in the world. Can't you just whitelist script loaded from this URL or domain?

    <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js">

    What am I missing? Why is this hard? I am no expert on Javascript at all, but I find it ludicrous that Adsense is being presented as a security risk.

    [edit] And my "anger" has nothing to do with any of the things you mentioned. My anger is solely because I am losing real and measurable income every SINGLE day that you guys drag your feet and act like a very simple issue is this huge problem.
    Adam, I'll have to be honest with you and people like TalkieT. Perhaps as high as 0.1% of our customers use AdSense, and yet we're doing this anyway. It may be out as soon as the end of this week. Each of the testers had to get AdSense accounts and learn about AdSense, not a technology they knew anything about.

    We can't just open a freeform JavaScript window for everyone like we did in the past and compromise security for 100% of our customers, no matter how many angry posts you make.

    What is true is way over 90% of our customers don't want us allocating engineering to AdSense, and yet we did it anyway. And well over 90% of our customers don't want dgrin littered with angry posts like yours, which we hear every day.

    When a customer starts screaming at the staff and other customers in a GAP store, the manager comes out and escorts them from the store. Do I have to start doing that on dgrin?
  • Darter02Darter02 Registered Users Posts: 947 Major grins
    edited September 17, 2013
    tumblr_mky23oiTiz1rblqp8o1_250.gif
  • AdamNPAdamNP Registered Users Posts: 178 Major grins
    edited September 17, 2013
    Baldy wrote: »
    Adam, I'll have to be honest with you and people like TalkieT. Perhaps as high as 0.1% of our customers use AdSense, and yet we're doing this anyway. It may be out as soon as the end of this week. Each of the testers had to get AdSense accounts and learn about AdSense, not a technology they knew anything about.

    We can't just open a freeform JavaScript window for everyone like we did in the past and compromise security for 100% of our customers, no matter how many angry posts you make.

    What is true is way over 90% of our customers don't want us allocating engineering to AdSense, and yet we did it anyway. And well over 90% of our customers don't want dgrin littered with angry posts like yours, which we hear every day.

    When a customer starts screaming at the staff and other customers in a GAP store, the manager comes out and escorts them from the store. Do I have to start doing that on dgrin?

    I am losing money every day from this. I'm not going to apologize for being unhappy about that. Most features will be that way, where the huge majority don't need it. I don't give the slightest care about Wufoo, Vimeo, or Statcounter, but you didn't see me complaining about it being implemented. Just because I don't want it doesn't mean other people shouldn't still get it. That's a silly argument.

    I have never "screamed" at anyone here, and certainly not other customers. If you think anything I said is inappropriate, I'd like to invite you to about 99% of the internet, where things are FAR less civil than here. If you or anyone here has such a thin internet skin that my posts are bothering you, you should probably stay off the internet.

    I have said over and over again that the new SM is a great product, in most ways. I have been a manager for 20 years. You know what the first thing they taught us about customer complaints was? Embrace them, and appreciate them. Because most unsatisfied customers just leave without a word. The ones who complain basically like you, and WANT to remain a customer, if you work with them. Suggesting that myself and others like me need to be silenced is just... well, I don't even know what to say to it.

    If you guys communicated better, none of this anger would ever have happened. No one bothered to even say this was being done, or tested, until a couple of days ago. I and others in the Adsense thread have been asking for comment for over a month. The only thing you yourself EVER said is that "we've not yet begun work", and that was in a totally unrelated thread. Try actually talking to us, then maybe you wouldn't see these kinds of posts any more. Communication is everything in business. If you can't dedicate large amounts of time to customer communication or hire a person who has that as their sole job, then you have no place running an internet-based business.
  • AdamNPAdamNP Registered Users Posts: 178 Major grins
    edited September 17, 2013
    I thought I would add the quote I was referencing. This was posted nearly a month ago, so I'm not sure how we'd have any way of knowing more (until the last couple of days). Also, from what you said after that, it sounds to me that you have many important clients who want this feature, and not some unimportant 0.1%. Which is it?
    Baldy wrote: »
    For Adsense, we're thinking about the best way to do this but have not begun work. We have many very large household-name accounts such as newspapers who depend on Adsense
  • arakneearaknee Registered Users Posts: 22 Big grins
    edited September 17, 2013
    Lamah wrote: »
    Hm, I added that code to my gallery using my PayPal extension and it actually worked fine for me.

    How does it bring the file number across to paypal?

    It only shows the default item "foto"
  • thenickdudethenickdude Registered Users Posts: 1,302 Major grins
    edited September 17, 2013
    You need to use the extension to add the code to the photos. That causes it to customise the product name for you to include the photo's filename.
  • mbonocorembonocore Registered Users Posts: 2,299 Major grins
    edited September 17, 2013
    Adam, but what if we didn't start the work on this till a week ago? We were not hiding anything from you. As I said, it needed to go through alot of different processes before it is implemented, and just because you wanted it, doesn't mean it trumped everything else on our plate.

    We have been keeping you informed every step of the way. While I would love to go into every thread and give a daily update, you know that's just not possible. Also, it would bump old threads that have already been submitted, and hide new threads that are important to other people. I do not want to do that to the other customers here on Dgrin. If I don't provide an update, then it is safe to assume there is no update. You are more than free to check in every week or 2, but please understand we had this on our end since the original report, and the endless chatter about it did nothing to help get it escalated ahead of other issues, but just took away attention from other important threads. We have this coming, I think we can officially put this issue to rest and all be friends :)

    Thanks Adam
  • pilotdavepilotdave Registered Users Posts: 785 Major grins
    edited September 17, 2013
    Baldy wrote: »
    What is true is way over 90% of our customers don't want us allocating engineering to AdSense, and yet we did it anyway. And well over 90% of our customers don't want dgrin littered with angry posts like yours, which we hear every day.

    I don't use adsense. But I support you guys working on it. And whatever other content blocks are in the works. There should be new content blocks being released every week.

    Smugmug should have a content block "store" like an app store. Developers should be able to design their own content blocks within the smugmug framework. Then they'd get submitted, checked by smugmug for security, beta tested, and released. Smugmug users would get an ever growing list of content blocks they can add to their sites.

    The way things are working now is ridiculous... or at least it seems that way to those of us that don't have visibility into what's really going on at smugmug. Communication goes a long way. You guys have gotten bad at it when it matters most. New smugmug came with a bunch of unexpected downgrades. I'm not even talking about bugs. I'm talking about removal of features and a UI that makes every-day tasks like keywording take longer. If you guys are making improvements... real, substantial improvements, not tweaking the looks of the old hard to use shopping cart, let us know. Clearly we're not getting javascript support. Make us feel comfortable that you have a plan to add new features (that would otherwise be a copy and paste of a few lines of code) in any kind of a timely manner... and regularly! Because right now we're not comfortable and you're making it worse.

    Dave
  • arakneearaknee Registered Users Posts: 22 Big grins
    edited September 17, 2013
    Lamah wrote: »
    You need to use the extension to add the code to the photos. That causes it to customise the product name for you to include the photo's filename.

    Thought that was the case.
    Wouldn't do it when I was in the incognito window but works in normal window.

    The only thing now is that the file number is no longer visible for people who order by email.
    Is it possible to add the file name to the title when it adds the paypal button?
  • thenickdudethenickdude Registered Users Posts: 1,302 Major grins
    edited September 17, 2013
    araknee wrote: »
    The only thing now is that the file number is no longer visible for people who order by email.
    Is it possible to add the file name to the title when it adds the paypal button?

    Oh right, I forgot that it would hide automatic SmugMug filename displays.

    Okay, I've uploaded a new version of the extension, which Chrome should update you to shortly. To manually update, click the menu button, then Tools->Extensions. Tick the "developer mode" tickbox at the top right, then click "update extensions now". You should see the version number next to the Unofficial SmugMug Extension for Chrome update to 0.1.5 after a couple of minutes.

    When you've got the new version, add the word "$FILENAME" above your button code in the extension, it'll get replaced with the filename of the photo.
  • TalkieTTalkieT Registered Users Posts: 491 Major grins
    edited September 17, 2013
    Baldy wrote: »
    Adam, I'll have to be honest with you and people like TalkieT. [snip]
    We can't just open a freeform JavaScript window for everyone like we did in the past and compromise security for 100% of our customers, no matter how many angry posts you make. [snip]

    When a customer starts screaming at the staff and other customers in a GAP store, the manager comes out and escorts them from the store. Do I have to start doing that on dgrin?

    First up, thanks for engaging - can I take your comment above to be confirmation that Javascript is gone for good, and the only people that are going to be allowed to use it are approved customisers? If that's the case, fine, but let us know.

    I've given up asking for a comment on Paypal or self fulfillment. I can only judge you on your actions and over the last few years that would lead me to believe that there's not going to be any serious development in that area for several more years.

    If there was another host that did as good a job as you do on most things then I'd move... It kills me that you're the best (for me) in most areas, and that SM is utterly infuriating and glacial in some areas that are critical to me.

    Cheers - N
    --
    http://www.nzsnaps.com (talkiet.smugmug.com)
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited September 18, 2013
    TalkieT wrote: »
    First up, thanks for engaging - can I take your comment above to be confirmation that Javascript is gone for good, and the only people that are going to be allowed to use it are approved customisers? If that's the case, fine, but let us know.

    I've given up asking for a comment on Paypal or self fulfillment. I can only judge you on your actions and over the last few years that would lead me to believe that there's not going to be any serious development in that area for several more years.

    If there was another host that did as good a job as you do on most things then I'd move... It kills me that you're the best (for me) in most areas, and that SM is utterly infuriating and glacial in some areas that are critical to me.

    Cheers - N
    Talkie, I think you should assume the answer is we'll never roll out JavaScript to the masses. That way we can all move on and do our best to write content blocks, create things in CSS, etc. And if we do find a way to roll it out, then maybe it will be a happy surprise.

    The situation is the JavaScript content block is done and in use by some customizers. But a group of security-minded engineers and customers stopped us from rolling it out. It's possible that someone will figure out a way to do it, but so far the people with in-depth security knowledge that we're engaged with have said it's not.
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited September 18, 2013
    pilotdave wrote: »
    I don't use adsense. But I support you guys working on it. And whatever other content blocks are in the works. There should be new content blocks being released every week.
    Hey Dave,

    I know that sounds very appealing and if we thought a company could do that and succeed, we would. But the companies that have tried that I'm aware of have all run into financial problems and faded away. On the big stage, you can think of MySpace and facebook. MySpace allowed all kinds of customization facebook didn't even though facebook's customers were screaming for it. On a smaller stage, PhotoReflect, PrintRoom, Pictage, and Zenfolio. They were all very good at chasing down every customer request until their code base became so enormous no team of engineers could move it forward.

    Our situation is we have 28 engineers. Compare that to Twitter (1,000), facebook (3,000), Wix (330), etc. And those companies have kept their products simpler than ours.

    Our mantra over the last two years was to nail beauty, ease of customization, and ease of organization. We have work to do on many things like keywording, yes, but just doing the three things above made an enormous difference with customer acquisition and retention.

    facebook's mantra is to do fewer things better and I'm sorry to disappoint you, but we have had to do the same to succeed.
  • TalkieTTalkieT Registered Users Posts: 491 Major grins
    edited September 18, 2013
    Baldy wrote: »
    Talkie, I think you should assume the answer is we'll never roll out JavaScript to the masses. That way we can all move on and do our best to write content blocks, create things in CSS, etc. And if we do find a way to roll it out, then maybe it will be a happy surprise.

    The situation is the JavaScript content block is done and in use by some customizers. But a group of security-minded engineers and customers stopped us from rolling it out. It's possible that someone will figure out a way to do it, but so far the people with in-depth security knowledge that we're engaged with have said it's not.

    Thanks for that - it's unfortunate but clarity is a good thing. Can I push my luck and ask for clarity on self fulfilment and Paypal processing please?

    Cheers - N
    --
    http://www.nzsnaps.com (talkiet.smugmug.com)
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited September 18, 2013
    AdamNP wrote: »
    I'd like to invite you to about 99% of the internet, where things are FAR less civil than here. If you or anyone here has such a thin internet skin that my posts are bothering you, you should probably stay off the internet.
    I like to think I understand forums fairly well, because I own what I think is the largest motorcycle forum and those guys are frisky. I have quite a presence on facebook, etc.

    But I have to agree with the masses of our customers and support heroes who say SmugMug support on dgrin is unique among Internet sites because it's nearly unheard of to get bumped, talked to, or have your post deleted no matter the anger or level of hijacking. We can only get a very small percentage of our customers to participate because they can't defriend, unfollow or ignore the angries.

    We seek customer complaints and suggestions, that's definitely not the issue for us or our customers. We're always phoning and visiting and asking for what annoys them, what we can do better, etc.

    The angry hijacks are not good for you and guys like Talkie because a decreasing number of our engineers are willing to post here now. These are people who have no problem with the help desk, facebook, and all the other venues.
    AdamNP wrote: »
    If you guys communicated better, none of this anger would ever have happened. No one bothered to even say this was being done, or tested, until a couple of days ago.
    I'm sorry to say we can't pre-announce anymore. I wish we could, but that option was closed for us long ago. I have many long posts about this in various places.

    I don't think you'll get facebook, Google, Amazon, Twitter, Apple or any other good company to do it either, for the same reasons we can't. But I think we'd all like to.
  • thenickdudethenickdude Registered Users Posts: 1,302 Major grins
    edited September 21, 2013
    I've uploaded a new version of the extension, 0.1.7, which now no longer uses the banned <form> tag. As a side-effect, instead of having a drop-down list with your product options, those will now be presented as a clickable list which always appears. See the example gallery here:

    http://www.sherlockphotography.org/Customisations/PayPal/Example-cart-gallery

    Chrome should update you to this version automatically within a few hours. To manually update, click the menu button, then Tools->Extensions. Tick the "developer mode" tickbox at the top right, then click "update extensions now". You should see the version number next to the Unofficial SmugMug Extension for Chrome update to 0.1.7 after a couple of minutes.

    This new version has new CSS to go along with it, so be sure to update the CSS code in your theme from the CSS on this page:

    http://www.sherlockphotography.org/Customisations/PayPal
  • TalkieTTalkieT Registered Users Posts: 491 Major grins
    edited September 21, 2013
    Amazing stuff! This single workaround might be enough to make me stay... It was the one true showstopper for me. Many thanks and I hope SM don't ban this implementation as well.

    Cheers - N
    --
    http://www.nzsnaps.com (talkiet.smugmug.com)
  • MomaZunkMomaZunk Registered Users Posts: 421 Major grins
    edited September 21, 2013
    Thanks Lamah...That may help me with my Fine Art Stuff, and for downloads that I want to have specific licensing wording.
    For my Team and Individual sales, I am looking at linking to a jot form that is a bit more complex, instead of adding a bunch of buttons for the 30 or so options.
Sign In or Register to comment.