Using personal links allows event participants to access your event with a single click from their email, and avoids the need to set or remember passwords. If you use an iframe to host registration within another website, you must take some additional steps to make personal links work.

This article is aimed at web developers who are designing or maintaining the host website. It assumes the reader is familiar with HTML and Javascript.

Eventsforce Configuration

Normally, when sending a personal link (example: a personal registration link) in an email, you would include the {{PersonalRegistrationLink}} tag in the body of your email to tell Eventsforce to insert the personal link. When registration is hosted in an iframe, you need to provide the link to the right page on the host website, and pass the personal registration link as a URL parameter that the host website can use to set up the iframe correctly. 

For instance, let's say that the host website registration URL is:

https://www.mycompany.com/events/myevent.html

To add a personal registration link to an email we would:

  1. Type the link text (e.g. "Register")
  2. Select the link text and click the "Insert/edit link" button on the toolbar
  3. For Url enter: https://www.mycompany.com/events/myevent.html?url={{PersonalRegistrationLink:URLEncode}}

This sets the destination URL of the link to be your host registration site, and passes the personal registration link as a URL parameter called "url". Note the "URLEncode" parameter within the tag - this tells Eventsforce to encode the personal link in a way that is suitable for use in a URL.

Host Website Configuration

The host website needs to decode the "url" parameter that it has been passed, and set up the iframe accordingly. There are many ways of doing this, in this example we will use Javascript to extract the URL parameter and configure the iframe.

This example assumes that:

  1. Our iframe has an ID of #registration-iframe
  2. Our Eventsforce token URL is https://www.eventsforce.net/mycompany/frontend/xt/token.csp. You can get this URL for your Eventsforce account by inspecting the personal links that are generated when sending emails.

Here is the sample Javascript that extracts the token from the personal link, and uses it to configure the iframe:

jQuery(document).ready(function () {
  // Extract our iframe url from our url. Note that we can't just use the URL, we
  // have to sanitize it.
  var urlParams = window.location.search;

  // Grab the "url=" part
  var linkURL = decodeURIComponent(urlParams.match("url=.*")[0]);

  // Grab the "token=xxxx" part. We want to ignore anything after the token.
  var token = linkURL.match("token=.*");

  // Construct our URL using the token
  var iframeURL = "https://www.eventsforce.net/mycompany/frontend/xt/token.csp?" + token;

  // Set this as our iframe src
  jQuery("#registration-iframe").attr("src", iframeURL);
});

You could also extract the token on the server, e.g. by using custom PHP, Python or Ruby code. The best method will depend on the implementation of your server and CMS.

Note that this is sample code, do not use this in your production website. You should code your own solution in the way that is most appropriate to your CMS, including error handling and any security considerations. 

Security Considerations

Be sure to consider the below security implications to keep your attendees and attendee data safe.

Always sanitize the link

It would seem easier to simply use "url" directly rather than extracting the token and constructing a new URL. Doing this would make your website vulnerable to URL tampering, however.

Using our example above, imagine an attacker constructed a malicious URL like this:

https://www.mycompany.com/events/myevent.html?url=https%3A%2F%2Fwww.maliciouswebsite.com%2Ffakeregistrationform.html

If you do not sanitize the value of "url", your website would show http://www.maliciouswebsite.com/fakeregistrationform.html as the content of the iframe. This would look like the real registration form, but could be used by an attacker to steal personal data, credit card details or other valuable information.

Always use https for the host website

It is essential to secure your host website using https, or the personal link token will be sent unencrypted over the internet. This could be intercepted and used by an attacker to steal personal information, or gain unauthorized entry to your event website.

Other articles you may be interested in:

Did this answer your question?