How to parse user entered string for URLs and safely display? - ruby-on-rails

I'm adding a feature to a web app where users can click a button to enter a link, and then paste in an address. I then want to be parse out the string entered, and extract the domain from the URL so that I can display the domain separately next to the link. The idea here is something similar to what Slashdot does, where links are displayed with their domain next to them so that users have some degree of warning before clicking on a malicious link like goatse.
Example link display:
Link [google.com]
What's the best way for me to parse what the user enters? I'd like to avoid limiting the users from pasting in any type of a legitimate protocol. For example, I'd like them to be able to enter in "aim:goim?screenname=SCREENNAME", which is an aim protocol link that opens a chat window. For oddball protocols like aim where the domain doesn't exist, I'd like to display the protocol instead of the domain.
Also, are there any security gotchas I should be aware of?

Related

Requesting input on conceptual ideas for disguising browser history

I am working with a Domestic Violence support organisation to build a website and have been asked to provide a "Quick Exit" function.
The purpose is to enable the user to exit the site quickly without closing the browser. I have seen such buttons on similar sites and the normal scenario is that they simply cause a Google search page to be shown. (easy but doesn't hide history)
I am looking for ideas to improve on this function to hide/disguise the history stored in the browser as this is currently a fairly significant flaw with the Quick Exit buttons I've seen to date.
I had a concept but I am looking for input on either fleshing out my concept, or other alternative directions to consider.
My concept was to have two domains: let's call them dv-site.com and decoy-site.com. The former being the source of domestic violence support information and the latter being some random content, could be anything, lets just say weather information for the sake of the conversation.
If a user navigates directly to dv-site.com the server redirects to decoy-site.com but also attaches some session specific, or perhaps single use query string or similar.
decoy-site.com validates the query string and, if valid, loads dv-site.com within an iframe or something like that so from the users perspective they are just looking at dv-site.com, though the domain recorded in history is decoy-site.com.
Links within the iframe loaded site would similarly be redirected with the same or a new query string.
If a user was to click on the browser history and go directly to decoy-site.com it would not be able to validate the query string and would just load the decoy site like a normal site. i.e. just showing weather information that exist on that site.
Domestic violence is a serious systemic issue and I would love some input from anyone who has more technical knowledge than I do on fleshing out this concept.
Other aspects I am unsure of how to tackle;
ensuring that dv-site.com can get crawled and ranked by search engines, even though users are all redirected, as it is imperative that it appears in search results so it can be found
technical aspects of a redirect that does not appear in history.
I'm unsure if it's possible to do this without all content and engagement being attributed to the decoy-site..
For the redirect, I believe that HTTP redirects do not get stored in history. You can use a 302 redirect for that. HTTP has a set-cookie header that lets you record a cookie - coupled with the headers here, you can give the decoy site access without recording it in history. Then, delete the cookie.
As far as pagerank goes, you could add a line to robots.txt as described here (the last point) to force the bot to scrape using a query parameter. Then in the backend, return the dv site only if that parameter is passed, otherwise redirect. If the googlebot removes query params when publishing, it will work out. Otherwise, it might fail.
Best of luck.

Can we create a retargeting list in AdWords based on email open data in Marketo?

Based on people who interact with an email campaign through marketo I would to create a retargetting campaign in Adwords.
Is it even possible using RTP?
What kind of interactions you'd like to capture?
If it's clicks so you can pass the leads through some page that will send events to GA and eventually redirect them to the desired page.
if you're interested to capture opens it's more complicated, you will need to capture GA's client ID for each one of your leads when they fill out a form.
There are lead data onboarding tools that might help with this challenge.

SLComposeViewController - read only

Problem
I'm trying to provide my users with an alternative to purchasing my iAP by allowing them to share that they're playing the game via facebook.
However, when the composer view controller loads the content is editable by the user. Which, for profitability sake is a bad thing. They could remove the entire message and still receive the perk that they receive for sharing. Thus, ruling out that way of marketing.
I'm curious as to two solutions.
Solution One
Force Read-Only ?
Solution Two
Cancel the sharing and display an error message if the sent message is not equal to the initial text/images.
Also, if it is not possible for them to remove the image and/or url then I don't really have a problem with them adding their own text. However, if they can remove the image/url then there is an issue.
Thank you for reading.
Restricting/enforcing what to share by the user, in any way, is not allowed in the Facebook Platform Policy. See also point 2 of: https://developers.facebook.com/policy#control. You can't make the share dialog read-only and you should not check if they shared the content you have provided.
With the second solution; you might also be hitting a policy restriction. You should not incentivize people to share in order for these kind of promotions. See rule number 5: https://developers.facebook.com/policy#properuse. This might be an more difficult issue though, policy wise.
You can let people share an open graph object; either generated from your app or directly one that you (or FB) is hosting, with an open graph url. For that, see https://developers.facebook.com/docs/sharing/opengraph and https://developers.facebook.com/docs/sharing/best-practices.

How to get the specific <Ad ID, Campaign ID> that was clicked on from the landing page?

I've been searching for a solution to this, which I thought would be trivial, and seems pretty much impossible.
Here's the situation: I set up an AdWords campaign, ad groups and ads. I point them to www.mysite.com
Once visitors arrive to my site through one of my ads, I want to know which exact ad they clicked on (and campaign, as apparently the ad id isn't globally unqiue). Is this possible?
I first tried by enabling Destination URL auto-tagging, but seems like the gclid parameter is pretty much useless.
Then I looked at the UTMZ cookie, but it seems like at most (correct me if this isn't the case), you get the campaign number (is this even the ID in AdWords?) and the keywords searched or the ad's keywords, one of those. Not anything I can uniquely identify the ad by, right?
Finally, I looked at ValueTrack, although again correct me if I'm wrong, but this would mean manually changing the destination URL of each of my ads in AdWords, right? Even doing this, I'm not sure I can get something that lets me uniquely identify the clicked ad. Is {creative} what I want? It's described in the docs as the "unique ID of the creative", does that mean this includes the Campaign.Id and the AdGroupAd.Id?
Thanks!
There is a way to do what you want using tracking templates.
Navigating to auto-tracking and tracking template settings:
Log in to Adwords, and click "Campaigns".
Click "Shared Library" in the bottom left corner.
Under "Shared Library", click "URL options".
You'll now get these options:
These options are set for the entire account. I think it is possible to override the tracking template for individual campaigns, ad groups and ads. Here is what they mean:
Auto-tagging
Auto-tagging means that when a user clicks on an ad, they will go a URL with the gclid parameter appended, for example http://yourwebsite.com/?gclid=example. This value is useful for some things, such as for offline conversions, so your website should save it.
Tracking template
Tracking template means that when a user clicks on an ad, they will be directed to this URL. Interestingly, it does not have to be your website, as long as the URL redirects to your website. For instance, you could set it up to look like this:
http://trackingcompany.com/?url={lpurl}&campaignid={campaignid}
{lpurl} and {campaignid} are placeholders which AdWords recognises and knows how to handle. So, for example, if a user clicks on an ad, they could go to:
http://trackingcompany.com/?url=http%3A%2F%2Fyourwebsite.com&campaignid=543987
trackingcompany.com must redirect the user now to http://yourwebsite.com, otherwise, it is in violation of AdWords policy and your ads could be rejected.
Now, here's the clever bit that I didn't realise because all of this is badly documented: you don't have to use a third-party tracking company to get access to things like campaign id. You can just reuse your own website! Just set your tracking URL to something like this:
{lpurl}?campaignid={campaignid}
You see that? {lpurl} will get replaced with the landing page, which is your website! So the user in our example would go to this URL upon clicking an ad:
http://yourwebsite.com?campaignid=543987
It's not clear to me whether example.com must now redirect to the landing page URL without those parameters, or not.
I can't find documentation on these placeholders anywhere, but these are the ones that I've found work:
{lpurl} landing page URL
{campaignid} campaign ID
{adgroupid} ad group ID
{creative} creative or ad ID
{keyword} keyword
Auto-tagging and tracking template together
If you enable both auto-tagging and a tracking template, then AdWords would behave as it normally does with a tracking template, appending a gclid query parameter.
Addendum: ignoring these new query parameters in Google Analytics:
If you use Google Analytics, you probably want to ignore these query parameters, merging hits with these parameters with hits that don't have them. You can do that by setting the "Exclude URL Query Parameters" option to aw_campaignid,aw_adgroupid,aw_creative,aw_keyword. You can't apply this retroactively, so do this before making any AdWords changes.
As far as I know there is no value track for campaign or ad group ID. You could just append something to the end of each ad's destination URL based on the campaign & ad group, but that is a bit of a chore.
If you link your Google Analytics & AdWords accounts and use auto-tagging in AdWords you can get the information you want in GA through the AdWords report (shows campaign, ad group, keyword etc). GA is able to use the gclid to retrieve data from AdWords, and I think you can then use the GA API to get the campaign data back out if you want it.
You could:
turn off auto-tagging
pull the entire account into an excel file
insert a new column for each desired output variable (Campaign, ad id [like Headline?])
trim, lower, and find/remove spaces from the target columns (so something like: campaignname, compressedheadline)
then concatenate that column with your destination URLs and a UTM string like this:
?utm_source=google&utm_medium=ppc&utm_content=compressedheadline&utm_campaign=campaignname
use this function and replace with the appropriate columns
=concatenate([dest url column],"?utm_source=google&utm_medium=ppc&utm_content=",[compressedheadline column],"&utm_campaign=",[campaignname column])
if the functions for the parts between the quotes break the formula, paste them into their own cells and then reference the cells in the concatenate function.
Drag this formula down the entire account,
Copy / Paste Special / Paste Values of the new Destination URLs over the old Destination URLs.
Remove unnecessary columns that have been created between Campaign, Ad Group, Headline, Description Line 1, Description Line 2, Display URL and your new Destination URL.
Then highlight just the Campaign, Ad Group, Headline, Description Line 1, Description Line 2, Display URL and your new Destination URL and you can paste this into the AdWords Editor under "add/update multiple ads.
You can get this data from the CLICK_PERFORMANCE_REPORT - The only downside to this, is that this report can only be run for 1 day. so if you needed a month worth of data - you would have to run about 30 reports -
The ad Id is the "CreativeId" - you can get the campaignId and Adgroup ID as well from this report - there is 1 row for each click - (GCLID) these are unique.
see this link for more info on what fields are available
https://developers.google.com/adwords/api/docs/appendix/reports#click

Are manual activation and password reset pages still necessary?

I'm currently coding all of the account management functionality for my site, and have already implemented the account activation and password reset systems by e-mail. The e-mails each contain a link to a servlet (with the appropriate parameters attached to the end), which does all the processing. Tests for the systems have gone well, however I have one question.
If the link's text is the same as its address, is there any reason to include traditional manual activation/password reset page (a page with a form where the request parameters in the activation or reset link would be entered in to the appropriate fields)? If the link doesn't work in the e-mail, the user can always copy and paste it. Is there any particular reason why sites still have seperate pages dedicated to these actions? And should I allow it?
You never know for certain the kind of transformations your email will undergo before being displayed to the person that will eventually use your reset facility. Combined with clueless users this may pose a problem.
An example: Since reset/activation links can be quite long they may be partially wrapped onto a new line after a transformation from HTML to plain text. Inevitably this will someday happen to a user that does not know how to deal with that situation.
Therefore it might prudent to provide the backup method of just entering the code in a text field which on submit performs the GET that was intended in the first place.
You are of course free to decide that your site does not need the business of said type of user and skip implementation of the manual method!

Resources