WARNING - WorldPay Select Junior not working after 23rd Sept 09

[Rozza]

Help required

 

I have an OSC installation (2.2 RC2a) with the WorldPay Select Junior payment module - the only way I can get this module to work is to have the "Enable whitelisting?" box UN-ticked in the RBS WorldPay admin panel.

A new directive from 23rd of September 2009 means that RBS WorldPay will be removing this option and will ultimately kill my checkout process.

 

Quote from the RBSWorldPay website:

"From 23rd September 2009 any scripting will be suppressed on output to the web

browser - unfortunately this will prevent web applications such as Google Analytics

from being used on our hosted payment pages but such coding may still be applied

to a merchant's website at the merchant's own risk.

 

We will restrict the types of coding that will be accepted on the hosted payment page

by introducing a list of permitted attributes (often referred to as a 'whitelist') from the

Open Web Application Security Project (OWASP)). Only codes that that are included

on the reference list will be displayed when output to a web browser. Validation of all

incoming data and appropriate encoding of all output data will prevent unauthorised

scripts from running in the browser."

Full details here.. RBS WorldPay - News Item

 

After speaking to RBS WorldPay tech support it would appear that the WorldPay Select Junior module does not validate and all blocked code (including java, php etc) is stripped out before creating the final output.

This would explain why the final page in the payment process that contains the button "Click here to return to xxxxx store" can remain unformatted and contains a broken button that doesn't return you to the 'junior_callback.php' file to complete the cart update process.

 

So no emails are generated or stock subtracted and the clients cart remains full with the unprocessed order.

 

Unfortunately I am not a programmer and have spent too many lost days now trying to resolve this problem - can anyone shed any light on this or suggest a fix?

Edited September 3, 2009 by Rozza

[web-project]

from their example at url:

http://www.rbsworldpay.com/support/kb/bg/e...example0.1.html

you can create your own module, I have seen few payment gateways providers did sort of update in the past.

[Rozza]

Hi Alex,

 

Thanks for the reply, I've had a look at the example and I think I understand how it works but I wouldn't

know how to begin creating a more complex payment module that would integrate with my shop.

 

I rely heavily on the OSC contributions QTPro for stock control and Royal Mail UK & Overseas shipping

module for weight related postal charges. So at the end of the payment I need to collect all the data, pass

it over to RBS WorldPay for payment then get the Payment Response Callback (that the current module

provides) to complete the whole checkout process.

 

And all that within the new restrictions!

 

Unless I can get some guidance I can't see it being a job that I could do with my limited knowledge.

[web-project]

Not really big issue, they simply updated name & want to have most secured payments.

 

we are making are to ensure that our payment pages are as secure as possible as well as aligned with the latest industry security standards

 

If you have customised the standard RBS WorldPay payment pages (to add your own company logos, to add or change text or graphics, for example) you need to ensure those changes are coded securely using approved tags. On 10th September this year we will no longer display any elements in any payment pages that are not coded using approved HTML tags. You need to get your technical resources to review the Technical Notes below well before 10th September and, if necessary, adjust your RBS WorldPay installation, as described. If you are unsure if you have customised the payment pages, refer to Customised Payment Pages below for further advise

basically all stuff should be done in HTTPS protocol without any excuses.

[Rozza]

Hey, if only it was that simple - for me this is a MASSIVE issue.

Like many OSC installs out there I don't use HTTPS and none of my payment pages are customised.

 

Either way I don't believe that is the problem. Google searches covering the RBS WorldPay Whitelist

throw up many results and the forum over at Zen Cart is glowing with the same issue.

 

If I could write a new payment module contribution I would but, as I say, I'm not a programmer.

 

As it happens RBS have offered to issue me a second merchant account ID so that I can register

with Sage Pay/Protex (which works like a charm) and, under the circumstances, have waived the fee!

 

I think that tells it's own story.

 

I reckon this post will lay dormant until the 24th Sept, then all hell will break loose.

If I find any genuinely helpful info by then I'll report back here.

 

 

Carl

[rgvsean]

I've set my call back to store/ext/modules/payment/worldpay/junior_callback.php

 

I'm still in test mode and it NEVER returns me to the shop. Whitelisting on or off.

 

Orders are still captured though and payment confirmed e-mails all working - odd.

 

On a side note you have the option to turn it on/off until 14th of October - so we have time to get it fixed - maybe????

[rgvsean]

Ah I see now, I got the button to show up in world pay by changing a 0 to a 1 at

 

$sql_data_array = array('orders_id' => $HTTP_POST_VARS['cartId'],

'orders_status_id' => $order_status_id,

'date_added' => 'now()',

'customer_notified' => '1',

'comments' => 'WorldPay: Transaction Verified');

 

However it doesn't work with whitelisting.

 

So setting this to zero allows the order to capture but the customer stays stuck at RBS.

 

A solution would be nice.

 

Another way around is to redirect to checkout_process - the order captures but customer not well informed. Hmmmmmmmm

Edited September 16, 2009 by rgvsean

[rgvsean]

Sorry, starting to understand this now. My changing the o-1 was supposed to send a confirmation e-mail to the cutomer but this DOES NOT happen.

 

Secondly my orders are capturing whether world pay is completed and called back or not! This means I'll have to manually confirm and check each payment.

 

Seems a weak solution. <_<

[rgvsean]

I've now managed to get a working solution to this problem.

 

With whitelisting on.

 

Will post up the code you need to put into junior_calback later, when I get home.

[mhsuffolk]

I've now managed to get a working solution to this problem.

 

With whitelisting on.

 

Will post up the code you need to put into junior_calback later, when I get home.

 

I am having the same problem, did your code work?

 

If so could you post it up please

 

Martin

[Floob]

Any update to get this working again?

[mhsuffolk]

Any update to get this working again?

 

Yes, it was solved in this thread.

 

http://www.oscommerce.com/forums/topic/344497-how-to-fix-worldpay-junior-junior-callback-php-going-straight-to-results-screen-in-rbsworldpay/

 

Scroll down to Post #7

 

The code replaces an existing similar section in ext\modules\payment\worldpay\junior_callback.php Don't forget to change the xxxxxxxxxx to your stores URL

 

It has worked on every order since I implemented it, all customers have returned to my store and their cart has been emptied.

[Floob]

Yes, it was solved in this thread.

 

http://www.oscommerce.com/forums/topic/344497-how-to-fix-worldpay-junior-junior-callback-php-going-straight-to-results-screen-in-rbsworldpay/

 

Scroll down to Post #7

 

The code replaces an existing similar section in ext\modules\payment\worldpay\junior_callback.php Don't forget to change the xxxxxxxxxx to your stores URL

 

It has worked on every order since I implemented it, all customers have returned to my store and their cart has been emptied.

 

Thats great - worked a treat. Thanks.