WorldPay Module version 2.0 - Support thread

[philip_clarke]

Having had a look at their antisamy spec, if their filter is any good and the obfuscation does not work, then there's not much chance since they have rigged the stylesheet tags to use on text/css (you can set them text/html) and @import and LINK tags are similar or disabled entirely.

I'm still looking for something, the script tags are not mentioned and I assume anything not listed is stripped, but what is strange that the file mentions id listed as

Example policy file (far too permissive for production use)

which is lunatic. ANTISAMY is not designed for this. It's designed to allow users to enter things into a text box and to see the results without have malicious tages enters, it is not designed to pull in a third party application and then filter it and display it. Yes Worldpay could be attacked using XSS but only after a transaction was made and completed and the card verified. I possibly (this is on the outskirts of possibility) could write a conversion program for the module where you have to run your templates through it and it could create full url links if you like ? I can't alter "the module" by a default as you "the users" could be using any kind of template and styles so there is no default (you could be pulling new items, there could be database driven items showing best selling things), you have sideboxes that might be hardcoded)....

I'll have a think, but I suggest £20 a month gets you a paypall pro account with a virtual terminal where you can take numbers over the telephone and the modules are more advanced, which seems cheaper and better than a company that seems intent on destroying it's client base.

Philip.

[Ooba_Scott]

Yeah totally agree with you

I have a feeling they are going to lose alot of business through this new antisamy thingy..... if a client asks what payment gateway to use, def will not be suggesting worldpay!

But sadly client already has had a worldpay account and has been using it in the past.....so i dont think i will be able to persuade him to change anytime soon.


Setup protx acouple of times, and that was perfect, no problems at all..

There thing doesnt seem to pull in all the tags anyway, i had a quick look at the source code alst week and i noticed it was pulling in the <option> tag, but it was never pulling in the close tag for it....They surely cant be filtering out only the close tag....but i wouldnt put it past them at the minute tho, haha

Yeah im still trying to think of a solution, but running out of options and solutions

[philip_clarke]

If none of the above code works then I doubt it's possible. I've been looking at that "permissive" owasp filter and they've crippled any webpage that is not plain text with fully formed links.

Unless there's an article in the knowledge base about how to bypass the sucking in process (and then they have adding a whole new feature), I fear tha everyone is going to be hard coding this weeked. Or whenever they find out....(queue months of answering the same questiosn over and over...)

Philip

[Ooba_Scott]

Haha yeh, well come the 30 of sept, when they make it compulsory....then people who already have this mod will all be coming accross the same problems :S

I am happy to try and answer peoples questions when the floods come in! haha

[Ooba_Scott]

I emailed support at worldpay on friday asking about why the base href tags get filtered and why they dont pick up all of the close tags properly......and apparently they are aware of this issue and are currently investigating. They suggest turning off the whitelisting for the time being


So it sounds to me that probably enough people have complained and asked questions about this issue for them to look into it and fingers crossed find a solution!

Might be a good idea to keep checking worldpay news and updates section to see if they have fixed this issue :)

[jszemmel]

Hi Philip,

We have an affiliate program in place on our site - it used to track all the affiliate transactions before - and the hidden tracking url was placed in tpl_checkout_success_default.php . At the moment after installing your module it only tracks the paypal orders --- Which tpl page is getting displayed by a worldpay module on the checkout --- is this --- tpl_modules_wp_checkout_success.php ???

In the previous module we had

PHP Code:

$order_total_query = "SELECT value FROM orders_total
                 WHERE orders_id = " . $zv_orders_id . "
                 AND class = 'ot_subtotal'";

$webgains_total_query = $db->Execute($order_total_query);
$webgains_total = $webgains_total_query->fields['value']; 


Set up in the header - of a success file -- to get a total of the order and than to be able to display it in the hidden tag on the wp_callback success?? am I right??

[philip_clarke]

That's resonably correct, although displaying a hidden tag may be tricky if you read the above emails, since worldpay is filtering html on their side when they draw the page in,

Philip.

[jszemmel]

1. When i try the white listing on our site it doesn't return to the site at all - the order gets created but it does not go back to the shop.

Sorry, there was an error in the processing of this payment.
Please contact RBS WorldPay with details of your error if the problem persists.
Server information 28/Aug/2009 09:36:52 Server ID mg1imscs5pa (WPReq-4842)

2. It would be ideal if we could display the continue button on the worldpay success page which would take you to the standard zen cart success page with the order number like it was implemented in the old worldpay module -- would that be a problem for you to implement??

3 spoke to worldpay and they will definitely implement it... We are thinking of swicthing to protex

[philip_clarke]

1) would be a worldpay problem

2) no not unless you would like people to mark goods up from your shop as paid and then you send them out only to find out that worldpay has been bypassed (because that button html code would need to contain your payment response password if I were to code it into the module)

3) implement what ? I think worldpay have killed themselves on this one. The trouble is that the amount of modifications and template chages that people make, which make ZC flexible, means it needs the base href tag of an entirely different engine to run it. I imagine some shop with limited template options or an engine that replaces links in templates, would work but then that's not ZC

[Ooba_Scott]

Yep they are making the whitelisting compulsory on september 30th. BUT it still has some serious flaws.

I pointed this out to them (probably along with many others aswel) and they are apparently looking into to it and will notify me with an answer to why/ a fix.

Basically they do notpull in all the close tags, which in turn causes the stylesheets not to be implemented properly making the thankyou page look pretty bad.

Ofc you cant rely on them to get back to you, so i will keep pestering them, in a week or two for some progress.

I have used Sagepay(protx) on a couple of other zen cart sites recently, and iut has all gone ok without any problems....ofcourse swapping over is an option. But if your client/you have already done all the leg work to get worldpay setup then is it worth starting again and getting sagepay setup.

For me i dont like to give up and im determined to get the worldpay sorted ( also my client only has a worldpay account, and only wants to use them)