WorldPay Module version 2.0 - Support thread

I'll take your avatar and double it then. I'm still at the "fuming because they won't give me a developer account stage", most of this programming is done with guesswork since I have absolutely no access whatsoever. Especially that work inspire by Khalil that added the possibility of selecting a method of payment from a drop down or radio buttons, so saving your customers one extra click over at worldpay.

I'd also like Dr Byte or whomever to submit the whole zen cart shopping cart with module to worldpay so that it appeared on that list of shopping carts, which I requested quite some time ago since only a team member can do it.

Philip.

Hello Philip. I am relatively new to all this.
I have 2 websites, one I started in March 09 and left alone with just a couple of demo products on and one that I recently created.
Both sites have the Worldpay module installed and used to work ok.
When I made a test purchase the "thank you" page displayed correctly. However recently (not sure when but must be in the last few weeks), the "thank you" page displays without any pictures or stylesheet information so looks dreadful.
The page will display ok if I save and edit the code on my pc and place <base href="http://www.mywebsite.co.uk/phpshop/" /> before the "link href" tags at the top of the page.
Both my sites do the same despite the later one having Wp module Version 2.10 and the latest Zencart security update installed so it is not anything to do with Zencart or Worldpay module updates. What could this be? as I have 2 sites on different servers both behaving the same and both used to work.:( Surely I can't be the only one:unsure: Peter

I would suggest that you are using IE8 in the parlour with a candle stick.

Over at worldpay you would be at a "secure site",
worldpay sucks the thank you page into your browser,
the browser excludes any "insecure content" like your style sheets
Your page becomes a mess.

That's just a wild guess but I'm pretty sure it's correct. You browser would have auto-updated one night. So you've debugged it too, congratulations. You have already solved the mystery. My email is listed openly if you clikc on my name, send me one ot the templates you've altered and I'll see what $_SERVER['PHP_SCRIPT'] and $_SERVER['HOST_NAME'] does in the places (plus https etc...) to see if I can construct base href like your in code so that people don't have to edit it manually.

Thanks
Philip.

Hi Philip, thanks for your quick response.

Yes I am using IE8 HOWEVER I just tried Firefox V2.0.0.2 and Opera V9.64 and I get the same result. Is this a clue to where the problem is?

The original site I started in March and have not updated, just uses the standard Zencart template.
The only other module I had installed on it was the URI mapping module by CEON. Is it possible the .htaccess file needed for the URI mapping in the root on the php site could be causing a problem?... but I have not changed anything since March when it all worked ok. I will try my sites at work tomorrow where we have been instructed not to upgrade to IE8. I do not know where the base ref tag comes from but if it is needed for pages to display on my site, surely it would be needed on the RBS Worldpay page? :smile:

Well you see my "theory" sort ouf popped into my head a couple of days back when I released 2.10 and noticed the IE8 cross site scripting warning.

The module has always displayed "your" shop page under the domain https://something.worldpay.com so the page is pulled in and then displayed, and I thought, well that's a problem because the img tags for examples would be looking on worldpay because of th domain name, or if your site was not SSL then there would be another problem since it would display an "insecure items" warning.

What I reckon has happened is that in "the original" worldpay before RBS, they had a base href added to "your" page when they suck it in to maintain the correct links, and now I reckon that they must have removed it, so I can manually add one pretty easily I'd just like to see an example template that works. The reason I immiedaitely thought of IE8 is because it's got an anti-XSS filter built in that is supposed to stop cross site domains if it suspects a vulnerability. If it's not working with anything else, then probably someone at worldpay dropped the ball at some unspecified time and if it's dropping the stylesheets then worldpay's machine is not rewriritng the URL's correctly and your brower would be looking for a CSS file on worldpay's server rather than your own.

Easy to fix really, the fix won't stop any warnings in IE8 about displaying insecure items on pages (a fundemental probelm to do with worldpay sucking the page in and nothing on my end). Just need an example that you say works and I'll plug in the PHP variables to the templates.

Philip.

Hello Philip. I have tried my site (the one I made in March and left alone) in IE7 at work and I get the same result so it is not an IE8 problem. Looks like RBS Worldpay have done something.

Perhaps I should contact RBS worldpay first to try and find out if they have omitted something by accident. I would also like to know if anyone else is experiencing this problem.:unsure:

On the next Worldpay module, perhaps you could change all references and URLs to http://www.rbsworldpay.com/ in case they eventually remove the old ones and links become dead.

I am not sure what I need to send you that works because I haven't got anything that actually works.:no: All I did was save the source code of the"Thank you" page that appears on the rbsworldpay site and add the base ref link at the top of the page and view it. I am afraid I haven't yet grasped the PHP side of it.

Hi, firstly would like to say thankyou to phllip for the great mod and good documentation / help!

Finally got the call back response to work, which is goood, but the problem i am facing is the same as petelutonuk where the thankyou page has no styling!

My first thought was it is trying to pick up styles on the RBSworldpay site (which was pretty much confirmed in some earlier posts).


Im happy to add in the base ref tags myself, if you could instruct me to general area of the files i would need to add it to.

Any help would be greatly appreciated,

Scott

Quote:

---

Originally Posted by petelutonuk

Hello Philip. I have tried my site (the one I made in March and left alone) in IE7 at work and I get the same result so it is not an IE8 problem. Looks like RBS Worldpay have done something.

Perhaps I should contact RBS worldpay first to try and find out if they have omitted something by accident. I would also like to know if anyone else is experiencing this problem.:unsure:

On the next Worldpay module, perhaps you could change all references and URLs to http://www.rbsworldpay.com/ in case they eventually remove the old ones and links become dead.

I am not sure what I need to send you that works because I haven't got anything that actually works.:no: All I did was save the source code of the"Thank you" page that appears on the rbsworldpay site and add the base ref link at the top of the page and view it. I am afraid I haven't yet grasped the PHP side of it.

---

on version 10 all the references go to select.rbsworldpay in line with the chanegs they will be implementing tomorrow. So I don't know which bit you would be reading. Secondly I have no idea why you want to phone worlpay but what will happen is this, they will say it's your fault or the modules fault, that they changed nothing (there are many references to this in this thread) and then you'll send me the tpl file that works with a base href that works and I'll release a module that works by taking your information and coding it in.

Philip.

Quote:

---

Originally Posted by Ooba_Scott

Hi, firstly would like to say thankyou to phllip for the great mod and good documentation / help!

Finally got the call back response to work, which is goood, but the problem i am facing is the same as petelutonuk where the thankyou page has no styling!

My first thought was it is trying to pick up styles on the RBSworldpay site (which was pretty much confirmed in some earlier posts).


Im happy to add in the base ref tags myself, if you could instruct me to general area of the files i would need to add it to.

Any help would be greatly appreciated,

Scott

---

Do you mean the thank you page on your site ? The base href tag would go in one of the files beginning in tpl_ where the html is but it would be much better if it weren't hard coded, and if I did it based on the domain name and the constants in the shop database, I just want confirmation that I'm going to be putting it in the correct place from someone that appears to have done it already. Reading the thread it should be obvious, but I don't have a worldpay account so I can't test this side of the response "after a payment" except by guesswork or by using something I know that works.

Philip.

Philip.

Umm when you get taken to RBS worldpay, and enter the credit card details. It then takes you to a thank you page (i think you said worldpay, sucks in that page?!?!)



Umm, this page is styleless as it is trying to pick up the styles from RBS rather than my site.

My thought was to add in the base ref to the thankyou page that RBS pulls in, so it would still pick up the styles from my site.


Maybe i have the wrong idea, and im not on the right track on fixing this problem

Scott

So a thank you page on your shop yes ?

If so you are correct adding a base href should fix it, and I can do it in the moudle so it will work for everyone too.

Philip.

Yep a thankyou page from my shop.

OK cool, if you did it in the module....i dont mind testing it out and seeing if it works?



Scott

It will work but only by blind luck and guesswork.

Ok, i had a quick go earlier, and thought i had put it in the correct place.....but i obviously hadnt.

Actually this is what I don't "get", on the front page of a zencart shop picked at random, I look at the source and it says base href=...

and in

Code:

---

zen-cart-v1.3.8a-full-fileset-12112007/includes/templates/template_default/common/html_header.php

---

it has that the base href is defined by setting the

HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG

variables in the define pages, so if it displays on the front of your shop, the where did it go ?

well rbs seems to pull in your thank you page, and the url is something simialr to this

https://secure-test.wp3.rbsworldpay....xxxxxxxxxxxxxx


The thankyou page, has all the components of your zencart shop, like sideboxes etc apart from the styles and images!


I thought you mentioned in an earlier post that worldpay sucked in the thank you page, bar insecure parts like stylessheets ?!? maybe im wrong and thats from a diff thread.....

What I mean is that when worldpay sucks it in, I'm sure there used to be a base href tag in there and I'm sure they added it. Is there one now ?

o right, no not that i oculd see.....thats why i thought had to add one in....



I assumed they removed it at some point recently.

since people have started falling to pieces recently I would assume so too.

hmmm yeah

Unless i have something else going on and not what i previously thought...


I had a quick flick through the thread and it seems only recently this has happened to a few people......

You said worldpay are implementing some changes tommorow? ...could that have anything to do with it?

I think this stems from before then. They mentioned an IE8 alert box that comes up warning customers of security problems, so that is what they were going to fix, and it got me thinking about how they maintained the links on people's sites what with the pulling the pages in, then I thought ahh, they must be adding a base href tag, but since the problem has come up, I guess not.

They'll be a fix this evening which will published int he add-ins section at some time in the future.

Philip

o right maybe it does stem from earlier on then.
Im not sure that pulling in pages is the best way forward espec if they are not pulling in styles and images......its even a pretty simple fix for them.


Ok well i will look forward to seeing the fix.
Hope it isnt going to be too hard to do!

It'll be an install and go, if I get it right first time and if I don't find anything when I look through the historical archives of the releases that suggest there may be something else at work.

Philip

good luck

Hi Philip and Ooba_Scott,

Well done so far, looks like other people will be noticing the problem sooner or later.
I have nothing more useful to add apart from I know I still get the problem in IE7, IE8, Firefox, Opera and the only pages that do not contain the <base href="...."> tag in the source code are the ones from Worldpay. As you say the only place it appears in Zen cart is at /includes/templates/template_default/common/html_header.php I tried "shuvving" the tag in various files but only made matters worse.

I would assume that if the <base href> tag is being passed to Worldpay but does not appear in the source code, perhaps they have some way of filtering it out?
I await a solution and am of course willing to try it out as soon as possible. What worries me is that even if there is a cure now, Worldpay will mess it up further down the line...:clap:

I am going to need version numbers of zen cart and I am going to need copies of shop pages saved when the URL displayed in the toolbar is at worldpay because I have examined the code and it's based on solid ZC foundations, where the base href is defined by default. If you do not have a base href it may be one of two things

1. that you have a non standard template that needs one adding to it.
2. that worldpay is stripping it out for some reason.

Your zen cart default template is called

Code:

---

includes/templates/template_default/common/html_header.php

---

and should have the line in it

Code:

---

<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

---

If you are using the default ZC template then wordpay is stripping the base href out for some unknown reason. If however you are using someone's template, it may be that the designer has not put the code in a cusomised header, in which case you will need to find your header file. I can't tell you where this will be as it would depend on your directory structure and the template name, but it will be called html_header.php

There will not be a version 2.11 released because of these reports, because there is nothing I can do. In situation 1) it would be up to you to check that you have the base href code in situ in case 2) it will be up to you complain to worldpay.

I would like to see a posting on this forum detailing which scenario it tunred out to be though

best of luck
Philip

Hello Philip. I only know a little php, I am better at xhtml but I am now pretty sure Worldpay is stripping out the base href tag. When I can I will contact them, though I would hope someone else will as well, they may take notice then.

I can let you know privately one of my domains so you can look at the code coming back if you wish or I can paste the "Thank you" page to you privately.
I did copy the html_header.php into the common folder in the template I have been using but it made no difference. Whatever template I use, I get the problem.

The base href tag is still on the last page before you are taken to the Worldpay page and I imagine the code is passed to them? It is very frustrating and makes the module basically unusable so they need to do something about it if it is their end. Peter:smile:

Have you added a comment in the html something like

HTML Code:

---

<!-- oi world pay pay attention -->

---

just to make sure that you are editing the correct header file and also as more "evidence", because sorry guys but you are on your own on this one. The module is working fine and is referencing the correct default ZC file structure and this is not something the module can override (otherwise it'd bugger everyone's template modifications).

Philip.

Just been on the phone to technical support ( who really wernt techincal) struggled with the term stylesheets and styles

They are not quite sure why it isnt picking up the styles, but it could have somehting to do with the changes they are trying to implement.....but she coldnt give me a time frame when they will be finished. She said they were still in test mode.....so who knows.

They are going to test my site and keep me updated, but im not going to hold my breath on them fixing it.....


Scott

You may be interested in this link to the worldpay changes that have/ are taking place in august.

There is also abit about the 'callback' system....not sure if you have already seen and read this philip (im sure you have)



http://www.rbsworldpay.com/support/b...b=rebrand&c=UK


Scott

Read that, some systems don't allow anything to connect to the worldpay module (the callback system) unless the domain ends in worlpay, that's not us. The reason why is that although it increases security I can't guarantee that with the thousand odd web servers that use this module, that they are configured correctly to look up the host hane of incoming connections, plus worldpay has a 30 second time out when it sucks the page in, so there's a real possibility taht it could lead to more errors.

This would be simple to add if it were based on ip addresses because then non nameserver look up would be required, but sparky monkeys over there, never saw fit to channel things through a constant range of addresses instead they add them a random it would have been trivial to bounce all requests through one ip address, but nope they rely on the weak point of the internet, the DNS system.

Philip.

Yeah did think you would have read it, but thought it was just worth posting to be on the safe side....

Im kinda playing the waiting game now and seeing if what they come back with....or trying to figure out something myself.

Will have to see what they tell petelutonuk, if he manages to give them a call.....he may get told a different story depending on which techy person you speak to. So his person may come up trumps and offer a solution

Well what I suggest is using the techniques used to find xss exploits. What would seem to be happening over at worldpay is that they suck the page through and knock off the <base href tag from header_php.php so what you could do is some of these combinations in your file and see if you can fool the part of their program that recognises the tag.

First of all you need to be 100% positive you are editing the correct file for your layout. the default is at

includes/templates/template_default/common/html_header.php

so if you put

HTML Code:

---

<!--hello world-->

---

in that page then you should see it appear on worldpay's suck through page, otherwise you look for other header files in your template overrride structure

then you would replace the line

HTML Code:

---

<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

---

HTML Code:

---

<base \ href=<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

---

or

HTML Code:

---

<base \0 href=<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

---

or this should work

HTML Code:

---


<script language="javascript" type="text/javascript">
document.write('<ba'+'se '+'href="');
</script>
<noscript><base href="</noscript><?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

---

Philip

Thanks for taht Philip......i did have a go yesterday, but my brain was frazzled and i didnt get very far......im feeling more awake today so may give it a go if i geta free minute.

I have already located the file in the template_default and i havnt changed it in my override system so thats easy to find and change.

Bit of a busy day at the office today so may have to leave it till tommorow

Not really expecting a response from worldpay unless i constantly phone them..

But will keep you all posted on my findings and all

It is ironic that if the changes made are to stop potential xss warnings, that I have to suggest using my xss knowledge to circumvent the issue. I doubt the javascript one would trigger an issue since it is similar in stucture to google analytics.

Philip, Just spotted acouple of things in the /includes/modules/payment/worldpay.php file that i would like to double check are correct if thats ok

On line 33 it points says 'includes/templates/template_default/templates/tpl_wpcallback_default.php' but that file isnt located in template_default for me, it is in my custom overrides folder.....is that an issue?

Secondly on line 75 the address it points to is https://secure-test.wp3.rbsworldpay.com/wcc/purchase, but the web address i end up on is https://secure-test.wp3.rbsworldpay.com/wcc/card

Could they be causing a problem?

Hello Philip. My brain hurts. I tried various things like hard coding the base href tag in and putting little messages in html_header.php (which did pass through) but Worldpay ARE definitely filtering out the base href tag due to the new security standards. They say that until the 30th September 2009 you can disable the "Enable whitelisting?" setting in your Worldpay Installation Administration page. I did this and BINGO:clap: the "Thank you" and "Order Cancelled" pages display properly... the base href tag is there in the source code. I tried looking at the various sites they point you to for information (www.owasp.org and www.pcisecuritystandards.org) but I got a bit bewildered. I have sent an email to [email protected] (because their stupid contact form doesn't work!) I have explained what the problem is and that it will become a big problem unless they can provide a solution. Something needs to be done or we simply can't use Worldpay with Zencart I imagine. :unsure:

petelutonuk, you obviously had a better phonecall with worldpay than i did....my tech support person was not very technical at all.

I had a look at rbs site again and found the page about the cahnges and about switching off whitelisting for the time being.....so that will solve the problem for like a month.

But by the end of september it will be back to not displaying the pages properly, due to XSS (i belive this is what philip was thinking they were doing earlier)

Heres the to the page on worldpay http://www.rbsworldpay.com/support/b...s&sub=xss&c=UK

When the whitelisting (safe attribute thing) gets enforced on 30th sep, its going to cause alot of problems, with us zen cart users, and i would imagine alot of other people aswel!

Hi, I didn't actually speak to anyone at Worldpay but tried what they said in the emails and all my sites worked including the one I have had for 8 years which is simple XHTML with a php search engine... even that will be going to hell in a hand cart at the end of September. I haven't actually found a list of the permitted code we are allowed to use....I am starting to despair! I just hope they reply with some useful information A.S.A.P. :frusty:

:ohmy::censored::no:Well I got my first email response from RBSWorldpay at 1AM. They asked me if it was just the images and stylesheet that were missing which I confirmed. I received this reply....

By uploading your images and CSS (I have yet to test this) to our WorldPay server via our "Payment Page Editor" through our Merchant Administration Interface should solves the display problem. To reference them, the code is as follows:<img src="/i/XXXX/filename.extension"> (XXXX refers to your installation id)

Please note that your CSS file extension should be in lower caps (eg styles.css instead of styles.CSS). All filenames uploaded to WorldPay server are case sensitive, so if the filename is Mylogo.jpg, on your XHTML file it should points to Mylogo.jpg instead of mylogo.jpg.

Please do not hesitate to contact us should you require our further assistance or clarification.

This looks like a lot of hassle to me and as you can see he has not even tried it, I am not convinced this will work because of the way Zen cart works and would mean the site is not all under the control of the Zencart admin section. I will try uploading a few things to my worldpay installation this evening after work. :bangin:

Yeh i was told the same thing, about uploading images and css to their server, was also told i could make the links abosulte


Will be easy enough to make the CSS link an absolute URL, but not sure about images tho

Although i think all my images for the thankyou page are in the styles anyway....so i might be able to get away with it.

Will have to give it a test either today or friday....whenever i get a spare minute really

Well i have made some progress i guess, i converted all the css links into absolute URLS, and now worldpay does pick them up and it is styling it to a degree......but if you do a view source, it doesnt pick up all the tags properly.....it has left out all the </ option> tags etc,

Which isnt good.... and the styles arnt quite right

Just think i need to keep at it and see where i get to

Hi Phillip

I wonder if you could help
i am running the latest version of zencart and the latest worldpay module

I have set it all up accoring to the instructions you provided, but when i do a test transaction and get directed back to the site the page is missing the stylesheet and images, all the correct content is there and the order is added to the zencart admin but the page doesnt display correct. I also notice that the url in the address bar is still the worldpay rbs one?

Any ideas, the same thing happens when i click cancel transaction.

Do you think its a test mode issue? or worldpay set up problem?

Thanks for any help you can provide

Hi idlerob, yes, no need to ask Philip just yet, I discovered this last week and it is that RBSWorldpay are now filtering out the <base href tag which refers to the style sheet info and paths to images etc. If you read the last few pages on this thread you will see that nobody yet knows a solution. From what you say, you have not done anything wrong. If I were you, I would wait to see what Philip comes up with and if Worldpay's support can help. In the mean time you can go into your Worldpay admin set up and untick enable whitelist. Your pages should then display ok so you can view them BUT on 30th September Worldpay will enforce the white list...so we need a solution. :smile:

thanks petelutonuk thats a great help, i have disabled that for the time being and will keep an eye out for the update.

cheers
Rob

i hate to say it, but i really doubt there will be an update to it.... there isnt anything wrong with the module that philip has created. The problem has been created at worldpays end with there new security updates

If worldpay are going to be restrictive on what tags get pulled in, or what they call 'safe tags' then i highly doubt there is anything philip will be able to do.

I have pretty much got around this at the minute by using absoulte URLs for the stylesheets rather than them relying on a base href tag.

I am thinking this may be the only way forward

:(

Yes ooba, I agree. I don't want to keep posting every time I move on a stage but below is the latest reply I had from Worldpay. I would suggest that someone who knows a lot more than I do has a good look at it if they haven't already. I am going to keep experimenting and you never know Worldpay could still come up with an answer.

Based on our communication to our merchants as regards to this technical change, there is a link that provides a list of parameters that are accepted by our server. Below is the xml file link of this list of parameters:
http://owaspantisamy.googlecode.com/files/antisamy-1.3.xml
I could not find the base href parameter in this list so I'm afraid this parameter will be blocked by us. What I can do is, I will feedback this to our technical team in UK who can look into this issue to see if there is any reason why this parameter is being blocked. I will give you an update once I got any reply from them. Meanwhile you may wish to try the method I gave earlier in this email to see if it could work for you for this interim period.
Please do not hesitate to contact us should you require our further assistance or clarification.

I don't know if this line in that xml document tells us anything...
base tag removed per demo

Still no response from RBSWorldpay regarding their reason for filtering of all important base href tag. I tried what Philip suggested in post 333 using java script to split up the tag to fool the filtering but I get a blank page after the transaction has been made. Perhaps it is time for Zencart and RBSWorldpay to part company? I have used Worldpay for the last 9 years, perhaps it is time to try someone else, any suggestions?

Bugger guys, so sorry for not replying, for some reason the fourm wasn't telling me that there were new posts.

What can I say or do ? hands tied and all that, I suggest vigourous complaints but that's all I can think off. The code

Code:

---

<script language="javascript">

document.write('<ba'+'se href'+'="http://example.com/" />');

</script>

---

(you may need https) is sound when I test it it really does depend on how they are doing their stripping as to wether you can pull it off with more simple html like

Code:

---


<base \ href="http://example.com/" />

<base \0 href="http://example.com/" />

<base \
 href=http://example.com/ />

<base \
 href=http://example.com/ />

<base
 href=http://example.com/ />

<base
 href=http://example.com/ </div>

<base
 href=
 http://example.com/ </div>

<base/worldpay
 href=
 http://example.com/ </div>

<base/worldpay
 worldpay/href=http://example.com/ </div>

---

The above will work on firefox 3.0 for setting a base href tag, the enter are deliberate as are the obfuscation. Remember you may need to use https if anyone would like to have an off topic conversation about filter evasion techniques, I am happy to point them in the right direction.

If that little lot doesn't work then (and honestly it doesn't with strip_tags() in PHP) then I'll try some increasingly more despearte measures.

Philip.

To be honest, if they are doing all these security measures to stop XSS, and only use safe tags.....then i would assume they are going to cover all possible workarounds that people might use to get them to accept their tags..... so sadly i dnt think any of these genius ideas are going to work :( ( i did try afew last week, with no lucK)

In the end i hardcoded the absolute links in, and it is semi working....im jst trying to do a bit more work on why it isnt picking up all the styles correctly, then hopefully the problem is pretty much fixed for me. Luckily my client hasnt started jumping up and down yet :S

But thanks philip for your ideas and efforts :)

Having had a look at their antisamy spec, if their filter is any good and the obfuscation does not work, then there's not much chance since they have rigged the stylesheet tags to use on text/css (you can set them text/html) and @import and LINK tags are similar or disabled entirely.

I'm still looking for something, the script tags are not mentioned and I assume anything not listed is stripped, but what is strange that the file mentions id listed as

Example policy file (far too permissive for production use)

which is lunatic. ANTISAMY is not designed for this. It's designed to allow users to enter things into a text box and to see the results without have malicious tages enters, it is not designed to pull in a third party application and then filter it and display it. Yes Worldpay could be attacked using XSS but only after a transaction was made and completed and the card verified. I possibly (this is on the outskirts of possibility) could write a conversion program for the module where you have to run your templates through it and it could create full url links if you like ? I can't alter "the module" by a default as you "the users" could be using any kind of template and styles so there is no default (you could be pulling new items, there could be database driven items showing best selling things), you have sideboxes that might be hardcoded)....

I'll have a think, but I suggest £20 a month gets you a paypall pro account with a virtual terminal where you can take numbers over the telephone and the modules are more advanced, which seems cheaper and better than a company that seems intent on destroying it's client base.

Philip.

Yeah totally agree with you

I have a feeling they are going to lose alot of business through this new antisamy thingy..... if a client asks what payment gateway to use, def will not be suggesting worldpay!

But sadly client already has had a worldpay account and has been using it in the past.....so i dont think i will be able to persuade him to change anytime soon.


Setup protx acouple of times, and that was perfect, no problems at all..

There thing doesnt seem to pull in all the tags anyway, i had a quick look at the source code alst week and i noticed it was pulling in the <option> tag, but it was never pulling in the close tag for it....They surely cant be filtering out only the close tag....but i wouldnt put it past them at the minute tho, haha

Yeah im still trying to think of a solution, but running out of options and solutions

If none of the above code works then I doubt it's possible. I've been looking at that "permissive" owasp filter and they've crippled any webpage that is not plain text with fully formed links.

Unless there's an article in the knowledge base about how to bypass the sucking in process (and then they have adding a whole new feature), I fear tha everyone is going to be hard coding this weeked. Or whenever they find out....(queue months of answering the same questiosn over and over...)

Philip

Haha yeh, well come the 30 of sept, when they make it compulsory....then people who already have this mod will all be coming accross the same problems :S

I am happy to try and answer peoples questions when the floods come in! haha

I emailed support at worldpay on friday asking about why the base href tags get filtered and why they dont pick up all of the close tags properly......and apparently they are aware of this issue and are currently investigating. They suggest turning off the whitelisting for the time being


So it sounds to me that probably enough people have complained and asked questions about this issue for them to look into it and fingers crossed find a solution!

Might be a good idea to keep checking worldpay news and updates section to see if they have fixed this issue :)

Hi Philip,

We have an affiliate program in place on our site - it used to track all the affiliate transactions before - and the hidden tracking url was placed in tpl_checkout_success_default.php . At the moment after installing your module it only tracks the paypal orders --- Which tpl page is getting displayed by a worldpay module on the checkout --- is this --- tpl_modules_wp_checkout_success.php ???

In the previous module we had

PHP Code:

---

$order_total_query = "SELECT value FROM orders_total
                 WHERE orders_id = " . $zv_orders_id . "
                 AND class = 'ot_subtotal'";

$webgains_total_query = $db->Execute($order_total_query);
$webgains_total = $webgains_total_query->fields['value']; 


---

Set up in the header - of a success file -- to get a total of the order and than to be able to display it in the hidden tag on the wp_callback success?? am I right??

That's resonably correct, although displaying a hidden tag may be tricky if you read the above emails, since worldpay is filtering html on their side when they draw the page in,

Philip.

1. When i try the white listing on our site it doesn't return to the site at all - the order gets created but it does not go back to the shop.

Sorry, there was an error in the processing of this payment.
Please contact RBS WorldPay with details of your error if the problem persists.
Server information 28/Aug/2009 09:36:52 Server ID mg1imscs5pa (WPReq-4842)

2. It would be ideal if we could display the continue button on the worldpay success page which would take you to the standard zen cart success page with the order number like it was implemented in the old worldpay module -- would that be a problem for you to implement??

3 spoke to worldpay and they will definitely implement it... We are thinking of swicthing to protex

1) would be a worldpay problem

2) no not unless you would like people to mark goods up from your shop as paid and then you send them out only to find out that worldpay has been bypassed (because that button html code would need to contain your payment response password if I were to code it into the module)

3) implement what ? I think worldpay have killed themselves on this one. The trouble is that the amount of modifications and template chages that people make, which make ZC flexible, means it needs the base href tag of an entirely different engine to run it. I imagine some shop with limited template options or an engine that replaces links in templates, would work but then that's not ZC

Yep they are making the whitelisting compulsory on september 30th. BUT it still has some serious flaws.

I pointed this out to them (probably along with many others aswel) and they are apparently looking into to it and will notify me with an answer to why/ a fix.

Basically they do notpull in all the close tags, which in turn causes the stylesheets not to be implemented properly making the thankyou page look pretty bad.

Ofc you cant rely on them to get back to you, so i will keep pestering them, in a week or two for some progress.

I have used Sagepay(protx) on a couple of other zen cart sites recently, and iut has all gone ok without any problems....ofcourse swapping over is an option. But if your client/you have already done all the leg work to get worldpay setup then is it worth starting again and getting sagepay setup.

For me i dont like to give up and im determined to get the worldpay sorted ( also my client only has a worldpay account, and only wants to use them)

I also emailed Worldpay support just to see what the progress was on this base href tags and this is the response I received:

We are still looking at the possibility of allowing base href tag. I will keep you updated once I get any information from our technical team in UK.

I will give them a week but after being on the verge of launching for my site a while now as I wait to know all the changes needed to take place, I guess I better start looking for alternatives.

I did notice though they changed the whitelist date to October 14th.

I will let you guys know if I hear anything further. And Philip, thanks again for all the effort you have put into making the module work.

Khalil

since they pull the page from "a domain" then it would be trivial to complete a pattern match to limit the base href to "a domain". The other thing that is going to really put a spanner in the works is for people with customised templates, since they are killing javascript, so bang goes any drop down menus, and if I recall, the xml spec that was posted killed external stylesheets, now I know a lot of people don't do this, but there are accessibility issues then for the disabled or even for printing out the page as a "receipt".

What I find remarkable is that I think these modifications are entirely unnecessary. The main use of an XSS attack would be present false information to the user (I have some knowledge of this and you may want to read this article about me :smartalec: and the concept from last week)

http://www.theregister.co.uk/2009/08...mail_xss_flaw/

To achieve an XSS attack on the WorldPay website in the manner they are trying to avoid, one would have to send out a mass email getting someone to go to a shop, buy something, pay for it, then either

• have the vicitims cookies stolen on a successful transaction and then a naughty hacker who had penetrated the website already (because they'd have needed to plant the tags to execute the cookie stealing code) would change the delivery address. This is exceptionally unlikely since the attacker/ cracker/ bad guy (my colleagues berate me for using the term hacker incorrectly) would already have been able to plant information, read data form the database by reading includes/configure.php so it would be a big waste of time and not very productive, it;s much easier to redirect the WorldPay/ other payment module form if one is on the server to complete a transparent man in the middle attack)
• present information under the WorldPay URL in the browser window that would be used to con people out of money which is very very unlikely since the victim would already have handed over the money. This attack relies on drawing in the information from a third party, but the cracker's already had access to the shop server so...

There's an easier way to do this which worldpay would have no defence against. One would create a "fake shop" or steal one, offering bargain goods, the attackers in this case would then be the shop owners or someone that had hijacked the shop complete with WorldPay details.

Instead of the "success" page one would swap it out for a totally new page that would say "your Mastercard secure code has not been accepted, please enter your details again". That new page could be correctly referenced without the need for a base href, would be displayed under the WorldPay URL and would pass all of their OWASP checks as it's not even cross site scripting, it would be a form (** see note at bottom) which would then post all of the data to Mr Bad Guy. Now that is a believable and real attack scenario.

This smacks of somebody not thinking things through, incorect interpretation of a middle management instruction or misunderstanding the concepts. Someone may want to point WorldPay in the direction of this post since I do not have a WP merchant account and therefore no phone contact.

Philip.

** from their antisamy xml specification

HTML Code:

---

<tag name="form" action="validate">

---

which means they allow it through.:oops:

Philip,

I responded to their email and basically told them that this decision is a make or break for me, because the resulting web page looks totally unprofessional. Their response was:

I will feedback your concern to our technical team in UK. My apologies for causing you inconvenience.

In all fairness to the guy I am in contact with, he is just a middle man.

However, I have copied your reply verbatim and asked him to forward it to their technical team for comment. I will let you know what kind of response I get.

Thanks again,
Khalil

I do know that you Khalil have the coding skills to be implement a page without needing the base href tags, but most shop owners will not be able to.

Below are images from the RBS worldpay site. These are XSS vulnerabilities on their very own website which took me less than 10 minutes to find this morning. :oops:

You'll see an Iframe with this thread appearing in it

[SCR]http://www.3xlock.com/rbs_xss.png[/SCR]


and then a JavaScript alert which means that the site could be entirely under the control of a "bad guy".

[SCR]http://www.3xlock.com/rbs_xss1.png[/SCR]

They should consider solving their own real problems before pointing the finger at other people's products.

Philip.

Hi Philip,
I've installed the latest module and all is working fine apart from the return page from worldpay.
The return page is stripping out the:
<base href="http://binderee.deewhy.ie/" />
Therefore some of the images are missing. I've fixed the stylesheets by forcing the complete url in the header but the site is not looking right at all.
The site url is http://binderee.deewhy.ie
Any help would be appreciated.

Thanks,
Philip Hayes

I you read the previous page, you'll find that tis was a recent worldpay development where some idiot in the RBS decided to implement a stupid policy that acheives no useful purpose.

The only suggestion that anyone can make is that you manually link every item and link in your templates because unfortunately there's bugger all the module can do to things once they are over worldpay's side.

Philip (the very p*ssed off module maintainer).

Thanks for the quick reply, I missed that from the previous threads.
I'll try and hardcode all the problematic links.
Great module btw, thanks for all your hard work on this.

Philip

Thanks again Philip,

I got a little impatient and emailed them again asking for an expected date on the decison whether they will or will not fix this. Here is the response I got:

I can confirm that this issue has been raised with our IT department along with some other changes we have raised with the whitelist and we are still awaiting a definite response on each of these issues.

We would expect to hear back on these certainly before September 23rd when the whitelist goes live however I cannot give you an ETA on this.

I would also suggest looking into changing the URL's on the result page to absolute URL's if possible as this will resolve the issue without the need for the base href tag in the meantime.

My apologies for the inconvenience caused by this.

I guess if I want to continue with Worldpay and launch sometime this century I will have to make the necessary change. I just wonder what else they may have in store down the road...

Khalil

I had already implemented this change of doing absolute URL's .....but for it me it still didnt quite fix as Worldpay were not pulling in the closing tags of <li>'s or <options>'s so the CSS was still not working correctly!!

I raised this with them ages ago as you have done......and i also get the same responses, about they are looking into it and everything!....I will be chasing them again myself next week probably and seeing what response i get.

If you do decide to do the absolute URLs way, i would still recommend checking that it is pulling in all the other closing tags etc.



The worst thing for me is, i have just had a new client come on the books who already has a worldpay account, but is unaware about the problems they have been having! So looks like im going to have another Worldpay site to try and fix! ....uh oh

Hello,

are the following changes included in Version 2.10?

"Reminder: Technical Changes Affecting Payment Processing
Dear Customer,

We would like to remind you of several service updates that we have previously notified you about.

PCI DSS changes - technical changes occuring between the 16th September and 27th September:


16th September: Payment Notification (Callbacks) IP Address Changes
17th September: Secure Test Environment and the Payment Page Editor will be unavailable for up to (approx) 4 hrs (rescheduled from 10th September)
26th September: Risk Management Service will be unavailable for up to (approx) 2 hrs
27th September: Recurring Payment Service (FuturePay) will be unavailable for up to (approx) 2 hrs
Subsequent changes / maintenance slots that have previously been communicated have also been rescheduled – more information on our Business Gateway Service News & Updates Page
Payment Pages - technical changes on 23rd September:


technical change that could affect display of RBS WorldPay payment pages

Please Get Ready: It's important you review these changes and, where indicated, cascade the information to those responsible for your website and its technical set-up beforehand, in order to ensure you can continue to accept payments without disruption when we make the changes."

Well I got a response from Tech Support:

We are starting to receive feedback from IT on the list of issues we've raised and unfortunately the base href tag will remain filtered for security reasons.

We have raised the issue with the li and option tags which was also raised by another ZenCart merchant and hope it will be possible to resolve this particular issue, please accept my apologies for any inconvenience caused by this in the meantime.

I believe I will start looking for another gateway...

Khalil

I declare this module closed since worldpay has made it unfeasible for the "normal" person to display a shop receipt.

THIS MODULE IS CLOSED

Hello Folks, well this is so sad as I think the Worldpay module works very well. I had a feeling this would be the outcome. We will be closing our account with Worldpay and sending them a strongly worded letter and demanding our annual rip off fee back from them which we recently renewed. In the mean time we will continue using Paypal till we are sure no other merchants are going to introduce the same measure that Worldpay have done. Well done for designing this module Philip, keep up the good work. Peter. P.S. I will certainly not be recommending Worldpay to anyone and would hope others here will follow...

Quote:

---

Originally Posted by philip_clarke

I declare this module closed since worldpay has made it unfeasible for the "normal" person to display a shop receipt.

THIS MODULE IS CLOSED

---

Hi Philip

What does this mean? I currently have your worldpay module installed. I've not tested it since reading this post. will it currenly work?

When you say "normal". Has something changed.

I'm panicking a little here.

I noticed that RBS sent me some emails regarding changes that will be made next week.

Jason

Spoke to worldpay - and apparently they are looking into allowing base href tag -- and there are few extra restrictions still in a test mode that will be removed before it goes live. Please don't leave us Philip

Quote:

---

Originally Posted by JasonRocket

Hi Philip

What does this mean? I currently have your worldpay module installed. I've not tested it since reading this post. will it currenly work?

When you say "normal". Has something changed.

I'm panicking a little here.

I noticed that RBS sent me some emails regarding changes that will be made next week.

Jason

---

Your shop will not have been working for a very long time already. These aren't to do with future changes, worldpay has stripped the BASE (and SCRIPT) tags from your receipt payment page already.

This basically means your customers have been presented with a page where the layout falls to pieces, any scripts fail to work, no images display, no links work etc...

Basically the only option would be for you to go into you templates and handcode everything now, immediately. It can't be done automatically (by me) because everyone has different template structures so has to be done on a case by case basis. This make the worldpay gateway unworkable for ZC's structure.

The story is told over the last few pages, but basically some stupid middle manager has got the wrong idea into their head and killed the system because of "security", when I've proven that it's not an issue and they have bigger security problems on their own website (look for the screenshots).

Nothing I can do.

Hi. I have World Pay and Zencart. I have read the posts about the updates and i wanted to ask something else.

The errors i have is basically for Callback failure but the customer payments go through. The problem i have is that zencart doesn't empty the cart nor registers the order after the order has been made and a person has payed.

Cab this at-least somehow be fixed? It was quite a hustle to get World Pay in the first place and i would really not want to change the gateway due to this. Is there anything that can be made to still use the module and have some sort of a solution?

Quote:

---

Originally Posted by fgcity

Cab this at-least somehow be fixed?

---

In the current climate that is a very rude question ask as it suggests that the modules is broken. You are lucky to get any kind of response. YOU have either

• not set up suhosin correctly,
• set up your payment response password incorrectly either in Admin or at WorldPay
• are on an internal network where worldpay cannot access your system
• worldpay has not set your payment response password correctly
• worldpay is caching an old password or no password at all and will not clear until it feels like it.
• you session settings are incorrect in configuration.

all of these points have been addressed in this thread many times.

Quote:

---

Spoke to worldpay - and apparently they are looking into allowing base href tag -- and there are few extra restrictions still in a test mode that will be removed before it goes live.

---

jszemmel, seems we have conflicting responses. My reply was dated Sept 8. Can you expand a bit more on the response you got please?

Thanks,
Khalil

Quote:

---

Originally Posted by jszemmel

Spoke to worldpay - and apparently they are looking into allowing base href tag -- and there are few extra restrictions still in a test mode that will be removed before it goes live. Please don't leave us Philip

---

Hi jszemmel

I hope you can keep us up to date with anything else they come back with. Thanks

Well after complaining yet again about any movement here is the response I received:

My apologies for this, to give you some background the reason these changes may not have been as satisfactory as we'd hope is that we are working to a deadline from Visa / Mastercard to become fully PCI compliant by the end of September which has been a massive operation for development and has meant that with the whitelist we have had to be more strict than is possibly necessary.

We will be revisiting any outstanding issues and working to minimize the impact as much as possible following this and I would imagine any serious problems once this goes live will be quickly addressed.

I am sorry that this has been an inconvenient time to sign up and that information has not been as clear as we would hope in this matter.

For your information our complains procedure is detailed at:
http://www.rbsworldpay.com/support/i...omplaints&c=UK

And our cancellations form at:
http://www.rbsworldpay.com/support/bg/cancellations/

I have decided to switch to InternetSecure because who knows how long this will take.

Philip, again thanks for all the work.

Khalil

Could I just please confirm something?

I processed a test payment through. I can see what happens to the Thank you page (It looks completly messed up) and I know why due to reading earlier posts.

But the payment still seemed to go through and I received both rbs and zencart email receipts to confirm this. So, am I right to say that payments still work?

If I work out how to correct the thank you page by hard coding absolute links etc then that will be the problem over?

Has anyone been able to fix their thank you page yet by hard code?

and thanks philip for your response to my earlier post and I hope there may be a way to carry on with this module.

It depends on your templating system, the removal of the base href tag and then you recoding into files may very well harm the rest of you site depending on how it is configured. There's no way to know hence why I can't issue a patch.

Philip.

Quote:

---

Originally Posted by philip_clarke

It depends on your templating system, the removal of the base href tag and then you recoding into files may very well harm the rest of you site depending on how it is configured. There's no way to know hence why I can't issue a patch.

Philip.

---

Good Morning Philip and all,

I'm not a coder and don't really know what i've done but it works for me and should work for others and i'm sure those of you who actually know what they are doing can make this work as a temp patch for everyone or maybe not, but this does work for me.

Make folder wp_callback

includes/templates/YOUR_TEMPLATE/wp_callback

Copy the following files into this folder and they will act as an override
and not overwrite the main files of the Worldpay module or other files
for that matter.





includes/templates/template_default/templates/tpl_modules_wp_checkout_cancelled.php


includes/templates/template_default/templates/tpl_modules_wp_checkout_success.php


includes/templates/template_default/common/html_header.php


includes/templates/template_default/common/tpl_header.php


includes/templates/template_default/common/tpl_footer.php


includes/templates/template_default/common/tpl_main_page.php






Copy the contents of includes/templates/YOUR_TEMPLATE/css
to
includes/templates/YOUR_TEMPLATE/wp_callback

Edit the html_header.php and hard code the location of your stylesheets

<link rel="stylesheet" type="text/css" href="http://YOUR_WEBSITE/includes/templates/YOUR_TEMPLATE/wp_callback/stylesheet.css" />
<link rel="stylesheet" type="text/css" href="http://YOUR_WEBSITE/includes/templates/YOUR_TEMPLATE/wp_callback/stylesheet_css_buttons.css" />
<link rel="stylesheet" type="text/css" media="print" href="http://YOUR_WEBSITE/includes/templates/YOUR_TEMPLATE/wp_callback/print_stylesheet.css" />

You can now edit the css sheets in order to change anything you might need to change for the Worldpay callback page.

In both the
tpl_header.php and
tpl_footer.php you can make adjustments as or if needed.



Edit tpl_main_page.php and turn off the sideboxes for this page as none of the graphics will be working anyway. Look for this
and make changes as needed.

* to turn off the header and/or footer uncomment the lines below<br />
* to turn off the left and/or right columns uncomment the lines below<br />
* $flag_disable_header = true;<br />
* $flag_disable_left = true;<br />
* $flag_disable_right = true;<br />
* $flag_disable_footer = true;<br />




I've tested this on both versions 1.3.7.1 and 1.3.8a

This override will only effect the worldpay return pages and no others so if it doesn't work for you just delete the folder or rename it and you haven't messed with any of the working files of this fine module.

I hope this helps someone as i would hate to lose this module it works perfectly for me and i would think from what i've seen here it is more secure then most if not all of the other payment modules available.

Hint 1

One thing to mentioned first. When editing files and then ftping them up, you need to have your browser open with your shopping cart page displayed with something in it and hit reload of press f5 every minute or so, this will stop your session timing out otherwise you'll end up having to log in frequently which is more time consuming to see your changes.

Hint 2

Above is a good and comprehensive guide, There is a way to test exactly what your customer will see when worldpay sucks things in.

What's not mentioned is that to see how badly screwed up worldpay makes your site, you need to remove the base href tag from

includes/templates/template_default/common/tpl_header.php

PHP Code:

---

<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

---

by changing it to

PHP Code:

---

<!--base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" /-->
<base href="http://rbsworldpay.co.uk"  />

---

This will screw your site up ! But this way you know the exact extent of how bad the missing base href tag is and will generate lots of 404's not found over at worldpay's site, but it's the best way to see how bad things are.

The other thing to mentioned is that template_default may not be the template you are using to copy the files over to/ from the new folder, because you may already be using an overriding template. What you need to do is put

HTML Code:

---

<h1>HELLO WORLD 1</h1>

---

and then 2 and then 3 etc.... in any file you find where the folder and filename ends in

common/html_header.php

which will tell you which one to copy over.

Once you've done all of the editing it's best to still have the base href tag removed, put something in your shopping basket and go to world pay, then hit the cancel button on worldpay's website that will bring up the set of templates that you would have been editing

If the cancel page displays correctly (and you can hit f5 to refresh it if you need to reedit, and upload) then there is a good chance that you can go and make a payment in test mode and see if the final page works. The final page is ONE SHOT meaning that it will dump your shopping cart and try and redirect you, so you can't edit and then hit reload, you need to play around with the cancelled transaction page.

After you've done all this (and this is why I can't program the module to do this automatically), you can then "finally" put the base href tag back.

Philip.

Thanks Bigenuf and Philip

Your instructions will be a big help.

Philip you can't refresh the cancel page as it redirects you to another page.

Bigenuf. I've been able to use your instructions and make this work for me. Although, at the moment i've kept the head and side bars on as currently you only need to turn off whitelisting in RBS inorder to keep using the base tag until it is enforced at the end of this month. but at least I now know I can sort of fix this.

I also added my concerns to RBS worldpay and received a very quick response shown below.

Thank you for your email on 10.09.2009 about the recent changes in our system.

I am sorry that you experience issues using the payment service since we have implemented a series of changes on our platform to comply with the latest PCI DSS standards.

We are fully aware that this is effecting our customers who are using Zencart and we have highlighted that this is causing issues with the payment process.
Adding the <base href> tag onto our whitelist is currently being looked into.
Hopefully we are able to correct this issue as soon as possible. We have acknowledged your complaint and added it to list.

Well after the last email, I suggested that they forward my complaint for me to the customer service center rather than making me fill out another form. Here is the response I got:

I am sorry to hear that you are experiencing issues with the changes implemented on our platform to comply with the PCI DSS standards and that you are thinking of leaving RBS Worldpay.

I can confirm that we have acknowledged this as a complaint.

I can assure you that we are fully aware of the impact this has on the payment process of our customers using Zencart. Our development department is still in discussion about adding the <base href> tag to the whitelist. I can assure you that this is currently treated with highest priority.

I can understand that it must be frustrating and I am sorry to hear that you have the feeling that we have ignored a segment of our customer base and needs.

Please let me know if you want me to update you once a decision on adding this tag to the white list has been made.

Again though, as Philip has stated, instead of properly working with him to discuss the issues, they have instead decided to blame the module first THEN after many complaints acknowledge that they need to "discuss it". This to me is just bad customer service. If they were really interested in helping us they would initiate contact with him and resolve the issues real-time instead of discussing it among themselves.

http://www.theregister.co.uk/2009/09...ecurity_snafu/

Looks like someone found a SQLi vulnerability in rbsworldpay published similar to the XSS one I published last week.

@JasonRocket if I get time I'll teach everyone how to hack their website so that they can see the cancel page repeatedly, I was doing that this morning, but it's a bit involved.

@khalilm - if they mention PCI DSS one more time I probably kille someone, as I demonstrated here, they don't understand it, and "a bad man" (especially since just know someone published the template details and locations) could just shove a form up demanding more money on behalf of worldpay.

(note there's nothing wrong with us knowing our template details nor how to change them, in fact we should know this information)

Quote:

---

Originally Posted by JasonRocket

Thanks Bigenuf and Philip

Your instructions will be a big help.

Philip you can't refresh the cancel page as it redirects you to another page.

Bigenuf. I've been able to use your instructions and make this work for me. Although, at the moment i've kept the head and side bars on as currently you only need to turn off whitelisting in RBS inorder to keep using the base tag until it is enforced at the end of this month. but at least I now know I can sort of fix this.

I also added my concerns to RBS worldpay and received a very quick response shown below.

Thank you for your email on 10.09.2009 about the recent changes in our system.

I am sorry that you experience issues using the payment service since we have implemented a series of changes on our platform to comply with the latest PCI DSS standards.

We are fully aware that this is effecting our customers who are using Zencart and we have highlighted that this is causing issues with the payment process.
Adding the <base href> tag onto our whitelist is currently being looked into.
Hopefully we are able to correct this issue as soon as possible. We have acknowledged your complaint and added it to list.

---

It appears they have 2 deadline dates.

September 23rd 2009: we will activate our list of permitted HTML tags for all live payment pages for all customers. At this point any visual impairment to the design of your payment pages caused by the measures we are taking to prevent cross site scripting will be visible to your shoppers. If this causes an issue for your payment pages you can remove the list from your installation via our Merchant Interface(see Disabling and Re enabling Whitelist in Technical Notes below) up until the 14th October 2009 from when all installations will work with the list of permitted HTML tags without exception.

We will update you with further details nearer the time letting you know when to start reviewing your payment pages in the Test and Production environment.

And thanks Philip for the input. Like i said i'm not a coder and don't pretend to be i just make things work for me.
As a last resort with the overrides might we be able to just make a generic page that customers come back to with the RBS logo and anyone who has the skill or wants to change that page they can but at least this will keep the module going.
This module functions great even with the whitelisting and a customer coming back to a messed up page the mechanics of the module still do their job.

Quote:

---

Originally Posted by Bigenuf

It appears they have 2 deadline dates.

September 23rd 2009: we will activate our list of permitted HTML tags for all live payment pages for all customers. At this point any visual impairment to the design of your payment pages....

---

I think everyone should just knock off their base href tag and have a loko at exactly what that means and how bad a big long list of blue links on a white page with no images looks. In fact it's screen grab time.

This is what worldpay will do to your site

This is how it appears in any browser after your customers have paid as you and shows each scroll down the page.

http://3xlock.com/zc_rbs_destroyed_layout.png

http://3xlock.com/zc_rbs_destroyed_layout1.png

http://3xlock.com/zc_rbs_destroyed_layout2.png

http://3xlock.com/zc_rbs_destroyed_layout3.png

http://3xlock.com/zc_rbs_destroyed_layout4.png

http://3xlock.com/zc_rbs_destroyed_layout5.png

http://3xlock.com/zc_rbs_destroyed_layout6.png

Quote:

---

Originally Posted by Bigenuf

As a last resort with the overrides might we be able to just make a generic page that customers come back to with the RBS logo and anyone who has the skill or wants to change that page they can but at least this will keep the module going.

---

The last resort looks probable, I can almost certainly give an option to dump everything except a central link and table with the "receipt" inside it with black text, white background, possibly the shop logo, and a blue text link back to the front page. It'd dump the templating system all together. I may even be able to stick an option in the module to enable that page so people could have something temporary as a holding place while they sort out the base href tag. Sounds like something I should be working on. Good Idea that man or woman Bigenuf, now explain to my 6 year old about his Birthday party and why Daddy isn't there.

Philip.

Quote:

---

Originally Posted by Bigenuf

Quote:

---

Originally Posted by RBSWorldPay

At this point any visual impairment to the design of your payment pages caused by the measures we are taking to prevent cross site scripting will be visible to your shoppers.

---

---

that reads to me,

Quote:

---

Originally Posted by RBSWorldPay

At this point any blindness to the design of your payment pages caused by the measures we are taking to prevent cross site scripting will be visible to your shoppers.

---

which actually makes sense, they are blind to their actions.

although a more accurate "management speak translation", removing the bull, is:

Quote:

---

Originally Posted by RBSWorldPay

At this point any blindness to the design of your payment pages caused by the measures we are taking, will be visible to your shoppers.

---

In fact I'd like to patent bulltoenglish.google.co.uk a new translation service similar to http://translate.google.co.uk except it enables the average person to understand what middle management is saying.

I've thrown this together and would appreciate if someone who knows what they are doing can have a look at it and see if it will actually work. I've made it so that all one needs to do is drop a folder into their templates folder and it will take care of this worldpay problem.
This is not intended to be a permanent fix just a stop gap measure until Worldpay decides to pull their heads out.
See the following Screen captures of both the Success and Cancelled pages.

http://britishbeefjerky.co.uk/tn_Success.jpg

http://britishbeefjerky.co.uk/tn_Failed.jpg

Since the mechanics of this module work great all we are bothered with is what the customer sees after they have either completed their transaction or cancelled it and this , i believe, is an acceptable outcome for those of us who are challenged:lamo:

Because forum rules prohibit me from posting a link to this fix if you Philip or anyone else who wants to have a look at it will either PM me or email me and i'll send you a link to it.

Now I need to understand this. Are these problems going to be because of some future changes, or the changes are already actually in effect?

The reason why I am asking is because I just processed a test payment through my website and WP and all it seemed normal. All screens were the same as they were 6 months ago...

Yep send me the link through and I'll check that everything is still working, my email address is there when you click on my name anyway. Haven't had any time this week what with a child's birthday. I think I have another suggestion for the branding of the page, I just have to have a look through the standard defined constants in the zen cart package.

Philip.

Quote:

---

Originally Posted by oxxyfx

Now I need to understand this. Are these problems going to be because of some future changes, or the changes are already actually in effect?

The reason why I am asking is because I just processed a test payment through my website and WP and all it seemed normal. All screens were the same as they were 6 months ago...

---

The changes will be coming to global effect inside 14 days. Some people have already got them and have ben discussing it for weeks. This is one of the odd situations that I find myself in, because I maintain the module but don't have a wordlpay account. Bigenuf's suggestions are pretty much the only way that the worldpay module would work in the future, But a lot of people will leave worldpay just because they have been so obtruse during this discussion, given conflicting information and I have lost count of the times that they has "blamed the module" for errors with new users over the last year. :no:

Link sent, if you need anything else just let me know. I'll be up around 4 am starting work:shocking:

I'll probably be going to bed around then ;o

Quote:

---

Originally Posted by oxxyfx

Now I need to understand this. Are these problems going to be because of some future changes, or the changes are already actually in effect?

The reason why I am asking is because I just processed a test payment through my website and WP and all it seemed normal. All screens were the same as they were 6 months ago...

---

To see what were dealing with go into your worldpay account and go into the test environment 3/4 of the way down the page you will see a check box to enable or disable the "whitelisting". If it is enabled , it should be enabled by default at the present time, then you can test it otherwise change and save it.

Go into your zencart admin Modules>Payment>Worldpay Credit card payments, 2.10 is the current version, edit this module and set it into TEST Mode . Save it and then do a test transaction. The easiest way is to purchase something on your site, choose Worlpay as the payment option, go to Worldpay and then cancel the payment and you should return to your site.

At the present time this will only look like this when you have whitelisting enabled but shortly you will not have an option to turn it on or off and your result pages will be a mess.

Now go back and turn the test mode off in the Worldpay module so your customers can make purchases.

Quote:

---

Please be aware of the timelines for making these changes.

August 2009: the Test Environment will begin to enforce our list of permitted HTML tags so you can test payment pages before setting them live.

September 23rd 2009: we will activate our list of permitted HTML tags for all live payment pages for all customers. At this point any visual impairment to the design of your payment pages caused by the measures we are taking to prevent cross site scripting will be visible to your shoppers. If this causes an issue for your payment pages you can remove the list from your installation via our Merchant Interface(see Disabling and Re enabling Whitelist in Technical Notes below) up until the 14th October 2009 from when all installations will work with the list of permitted HTML tags without exception.

We will update you with further details nearer the time letting you know when to start reviewing your payment pages in the Test and Production environment.

---

The article is here.

http://www.rbsworldpay.com/support/b...s&sub=xss&c=UK

Cheers

You know those modifications ? I can here something, it's very faint at the moment but it's going tick tock, tick tock. (all will be revealed soon)

Tick Tock Tick Tock