WorldPay Module version 2.0 - Support thread

[Ooba_Scott]

Yeh i was told the same thing, about uploading images and css to their server, was also told i could make the links abosulte


Will be easy enough to make the CSS link an absolute URL, but not sure about images tho

Although i think all my images for the thankyou page are in the styles anyway....so i might be able to get away with it.

Will have to give it a test either today or friday....whenever i get a spare minute really

[Ooba_Scott]

Well i have made some progress i guess, i converted all the css links into absolute URLS, and now worldpay does pick them up and it is styling it to a degree......but if you do a view source, it doesnt pick up all the tags properly.....it has left out all the </ option> tags etc,

Which isnt good.... and the styles arnt quite right

Just think i need to keep at it and see where i get to

[idlerob]

Hi Phillip

I wonder if you could help
i am running the latest version of zencart and the latest worldpay module

I have set it all up accoring to the instructions you provided, but when i do a test transaction and get directed back to the site the page is missing the stylesheet and images, all the correct content is there and the order is added to the zencart admin but the page doesnt display correct. I also notice that the url in the address bar is still the worldpay rbs one?

Any ideas, the same thing happens when i click cancel transaction.

Do you think its a test mode issue? or worldpay set up problem?

Thanks for any help you can provide

[petelutonuk]

Hi idlerob, yes, no need to ask Philip just yet, I discovered this last week and it is that RBSWorldpay are now filtering out the <base href tag which refers to the style sheet info and paths to images etc. If you read the last few pages on this thread you will see that nobody yet knows a solution. From what you say, you have not done anything wrong. If I were you, I would wait to see what Philip comes up with and if Worldpay's support can help. In the mean time you can go into your Worldpay admin set up and untick enable whitelist. Your pages should then display ok so you can view them BUT on 30th September Worldpay will enforce the white list...so we need a solution.

[idlerob]

thanks petelutonuk thats a great help, i have disabled that for the time being and will keep an eye out for the update.

cheers
Rob

[Ooba_Scott]

i hate to say it, but i really doubt there will be an update to it.... there isnt anything wrong with the module that philip has created. The problem has been created at worldpays end with there new security updates

If worldpay are going to be restrictive on what tags get pulled in, or what they call 'safe tags' then i highly doubt there is anything philip will be able to do.

I have pretty much got around this at the minute by using absoulte URLs for the stylesheets rather than them relying on a base href tag.

I am thinking this may be the only way forward

[petelutonuk]

Yes ooba, I agree. I don't want to keep posting every time I move on a stage but below is the latest reply I had from Worldpay. I would suggest that someone who knows a lot more than I do has a good look at it if they haven't already. I am going to keep experimenting and you never know Worldpay could still come up with an answer.

Based on our communication to our merchants as regards to this technical change, there is a link that provides a list of parameters that are accepted by our server. Below is the xml file link of this list of parameters:
http://owaspantisamy.googlecode.com/files/antisamy-1.3.xml
I could not find the base href parameter in this list so I'm afraid this parameter will be blocked by us. What I can do is, I will feedback this to our technical team in UK who can look into this issue to see if there is any reason why this parameter is being blocked. I will give you an update once I got any reply from them. Meanwhile you may wish to try the method I gave earlier in this email to see if it could work for you for this interim period.
Please do not hesitate to contact us should you require our further assistance or clarification.

I don't know if this line in that xml document tells us anything...
base tag removed per demo

[petelutonuk]

Still no response from RBSWorldpay regarding their reason for filtering of all important base href tag. I tried what Philip suggested in post 333 using java script to split up the tag to fool the filtering but I get a blank page after the transaction has been made. Perhaps it is time for Zencart and RBSWorldpay to part company? I have used Worldpay for the last 9 years, perhaps it is time to try someone else, any suggestions?

[philip_clarke]

Bugger guys, so sorry for not replying, for some reason the fourm wasn't telling me that there were new posts.

What can I say or do ? hands tied and all that, I suggest vigourous complaints but that's all I can think off. The code

Code:

<script language="javascript">

document.write('<ba'+'se href'+'="http://example.com/" />');

</script>

(you may need https) is sound when I test it it really does depend on how they are doing their stripping as to wether you can pull it off with more simple html like

Code:

<base \ href="http://example.com/" />

<base \0 href="http://example.com/" />

<base \
 href=http://example.com/ />

<base \
 href=http://example.com/ />

<base
 href=http://example.com/ />

<base
 href=http://example.com/ </div>

<base 
 href=
 http://example.com/ </div>

<base/worldpay
 href=
 http://example.com/ </div>

<base/worldpay
 worldpay/href=http://example.com/ </div>

The above will work on firefox 3.0 for setting a base href tag, the enter are deliberate as are the obfuscation. Remember you may need to use https if anyone would like to have an off topic conversation about filter evasion techniques, I am happy to point them in the right direction.

If that little lot doesn't work then (and honestly it doesn't with strip_tags() in PHP) then I'll try some increasingly more despearte measures.

Philip.

[Ooba_Scott]

To be honest, if they are doing all these security measures to stop XSS, and only use safe tags.....then i would assume they are going to cover all possible workarounds that people might use to get them to accept their tags..... so sadly i dnt think any of these genius ideas are going to work ( i did try afew last week, with no lucK)

In the end i hardcoded the absolute links in, and it is semi working....im jst trying to do a bit more work on why it isnt picking up all the styles correctly, then hopefully the problem is pretty much fixed for me. Luckily my client hasnt started jumping up and down yet :S

But thanks philip for your ideas and efforts :)