Sorry about the frustrations you're having. We are continuously trying to improve the validation to ensure that we are only catching malicious code. As for the reasons we are doing this, I would like to re-emphasize those we previously mentioned.
In the new API, which will at some point replace the old XML one, we are taking security very seriously. While we can't go back and retrofit the old API with this security, we have and will continue to use it going forward. This is to ensure we minimize all potential threats we can regarding SQL injection, partial HTML injection and other script/css hacks from getting into our product. The HTML which comes through our API can be displayed in our UI and we do have a number of individuals who try to abuse that UI and hack us.
While I certainly understand that this is frustrating, we will at some point require developers to move to this new API. We appreciate anyone who is running into these problems working with us to move forward and we do take this very seriously. Whenever one of these reports comes in, we immediately have a developer take a look at the report and identify any exceptions we need to add to the filtering we run. Anything that is legitimate CSS/HTML or reasonable to exclude, we do. Generally speaking, from a security perspective it is always safer to have an inclusive filter than an exclusive filter. This is the direction we are moving with all of our products and services.
If you're going to perform validation or filtering of the HTML we're submitting (which is understandable), you absolutely need to provide either the specifics of what you're validating against, or a tool for developers to use outside of the API to manually validate our HTML and point out any speficic issues. Otherwise we're just wandering around in the dark. You need to provide a flashlight.
On that note, a better system than these forums, or at least a dedicated forum itself, needs to be implemented to flag specific email_content validation issues.
I completely agree with your feedback on both points.
1. Error Messages: we are looking into how to provide better, more detailed error messaging without allowing malicious people to take advantage of this and exploit our system. Hopefully we'll have some updates on this soon.
2. Better defect/issue tracking: we're working on a project right now to improve both visibility into our API performance (uptime, latency, availability,etc.) as well as an improve issue tracking and defect monitoring solution. We're hopeful to have the first pieces of that system out before the end of the year with more improvements to come on that front. Definitely agree, the forum is useful for troubleshooting code issues but not overly affective in defect tracking at all.
Hi, I have read all of these comments. I was triyng to use yuor API but your HTML filtering or validator or whatever you use is poorly programmed, errors are not clear and not even using http://validator.w3.org/ to validate my code and then use your API I can't pass your filter.
For example, this simple code:
<html><head><title>Boletin</tiltle></head><body><table width="700"><tr><td>horrible API filter</td></tr></table></body></html>
I got the error:
[error_key] => json.invalid.value.no_script_tags [error_message] => #/email_content: Field does not support script content.
All is because of this simple property: width="700"
if I use:
width=\'700\' or width=\"700\" instead of width="700", it does not work neither.
Can you please tell me how to fix this? I got all my code ready to send newsletter to 8000 contacts, why you just don't use the same filter you have on your website tool (Own Code), i don't have problems there, but i need to send multiple newsletter, that's why I need the API.
When are we going to have a real validator? thi is urgent for my enterpresi, and I really don't want to move from Constant Contact, but my boss has less patience than me.
This error can be very frustrating as it offers no feedback what so ever! Why can I create a new email campaign by pasting in html into the advanced editor on the constant contact system, but when I try creating a new campaign with the same HTML via the API/SDK I recieve this error.
Why can't this HTML run through the same validator it does if in the advanced editor? It's very inconvenient creating a new campaign on Constant Contact and then not being able to modify any aspect of that campaign in my API integration as HTML doesn't validate although the advanced editor has not issues with it.
I completely agree with AdamS700. It's frustrating that there's no way to determine the specific element causing the problem.
If you're going to perform validation or filtering of the HTML we're submitting (which is understandable), you absolutely need to provide either the specifics of what you're validating against, or a tool for us to use outside of the API to manually validate our HTML and point out any speficic issues.
View API documentation, code samples, get your API key.
We want to hear from customers like you about your favorite features and how they have helped your business or organization. Tell us by answering a few questions in...Read More