Payment gateways and XSS

Posted by Rowan Parker on Stack Overflow See other posts from Stack Overflow or by Rowan Parker
Published on 2010-05-19T08:49:14Z Indexed on 2010/05/19 8:50 UTC
Read the original article Hit count: 312

Filed under:
|
|
|
|

Hi all,

I'm working on a website which takes payment from a customer. I'm using Kohana 2.3.4 and have created a library to handle the payment gateway I use (www.eway.com.au). Basically I'm just using their sample code, copied into it's own class.

Anyway, the code works fine and I can make payments, etc. The issue I have is when the payment gateway is returning the user to my site. The payment gateway uses HTTPS so that is secure, and it is sending the user back to a HTTPS page on my site.

However I have the NoScript plugin installed in Firefox, and when I get sent back to the page on my website (which also handles storing the transaction data) I get an error message saying that NoScript has blocked a potential XSS attack.

Now I understand why it's unsecure (POST data being sent across two different domains) but what should I be doing instead? Obviously during my testing here I temporarily disable NoScript and it all works fine, but I can't rely on that for the end users.

What's the best practice here?

© Stack Overflow or respective owner

Related posts about php

Related posts about xss