Payment gateways and XSS
Posted
by Rowan Parker
on Stack Overflow
See other posts from Stack Overflow
or by Rowan Parker
Published on 2010-05-19T08:49:14Z
Indexed on
2010/05/19
8:50 UTC
Read the original article
Hit count: 312
Hi all,
I'm working on a website which takes payment from a customer. I'm using Kohana 2.3.4 and have created a library to handle the payment gateway I use (www.eway.com.au). Basically I'm just using their sample code, copied into it's own class.
Anyway, the code works fine and I can make payments, etc. The issue I have is when the payment gateway is returning the user to my site. The payment gateway uses HTTPS so that is secure, and it is sending the user back to a HTTPS page on my site.
However I have the NoScript plugin installed in Firefox, and when I get sent back to the page on my website (which also handles storing the transaction data) I get an error message saying that NoScript has blocked a potential XSS attack.
Now I understand why it's unsecure (POST data being sent across two different domains) but what should I be doing instead? Obviously during my testing here I temporarily disable NoScript and it all works fine, but I can't rely on that for the end users.
What's the best practice here?
© Stack Overflow or respective owner