WorldPay Module version 2.0 - Support thread

[philip_clarke]

Having had a look at their antisamy spec, if their filter is any good and the obfuscation does not work, then there's not much chance since they have rigged the stylesheet tags to use on text/css (you can set them text/html) and @import and LINK tags are similar or disabled entirely.

I'm still looking for something, the script tags are not mentioned and I assume anything not listed is stripped, but what is strange that the file mentions id listed as

Example policy file (far too permissive for production use)

which is lunatic. ANTISAMY is not designed for this. It's designed to allow users to enter things into a text box and to see the results without have malicious tages enters, it is not designed to pull in a third party application and then filter it and display it. Yes Worldpay could be attacked using XSS but only after a transaction was made and completed and the card verified. I possibly (this is on the outskirts of possibility) could write a conversion program for the module where you have to run your templates through it and it could create full url links if you like ? I can't alter "the module" by a default as you "the users" could be using any kind of template and styles so there is no default (you could be pulling new items, there could be database driven items showing best selling things), you have sideboxes that might be hardcoded)....

I'll have a think, but I suggest £20 a month gets you a paypall pro account with a virtual terminal where you can take numbers over the telephone and the modules are more advanced, which seems cheaper and better than a company that seems intent on destroying it's client base.

Philip.