PayPal X-Frame issue

  • Posts: 231
  • Thank you received: 4
  • Hikaserial Standard
3 years 11 months ago #326457

-- HikaShop version -- : 4.3.0
-- Joomla version -- : 3.9.23

Hello,
I have an issue with the Hikashop Paypal Website Payments Pro Hosted Payment plugin. I have it published and active on my site, when I go through the checkout process and select it as a payment option it fails with an x-frame cross scripting issue. I cannot get the plugin to work with either run in iFrame Yes or No setting.

Please see the attached screenshots. Does anyone have the PayPal Hosted plugin running successfully? Can you advise on how you have the configuration setup.

Thanks
Lee

Attachments:

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
3 years 11 months ago #326465

Hi,

It seems that the iframe mode of Paypal Website Payments Pro Hosted is not allowed anymore by PayPal.
But with the "iframe" setting turned off, it will work without an iframe, so it should work fine. I don't see how you could get that same error with the iframe setting turned off. Could you please double check ?

Please Log in or Create an account to join the conversation.

  • Posts: 231
  • Thank you received: 4
  • Hikaserial Standard
3 years 11 months ago #326519

Thanks for the reply. I have been in touch with PayPal who may have found an issue. This is the reply from their support team (I have redacted some of the information and replaced with XXXXXXXX):

So I have taken the code and tested and this is what is getting send over to PayPal:

<form id=paypal
target=hss_iframe
name="name=hikashop_paypalintegralevolution_form"
action=https://securepayments.paypal.com/webapps/HostedSoleSolutionApp/webflow/sparta/hostedSoleSolutionProcess method=post>

<input type=hidden name=cmd value=_ext-enter>
<input type=hidden name=redirect_cmd value=_hosted-payment>
<input type=hidden name=upload value=1>
<input type=hidden name=business value=XXXXXXXX>
<input type=hidden name=receiver_email value=XXXXXXXX>
<input type=hidden name=invoice value=53433>
<input type=hidden name=currency_code value=GBP>
<input type=hidden name=return value=XXXXXXXX>
<input type=hidden name=notify_url value=XXXXXXXX>
<input type=hidden name=cancel_return value=XXXXXXXX>
<input type=hidden name=test_ipn value=0>
<input type=hidden name=shipping value=15>
<input type=hidden name=charset value=utf-8>
<input type=hidden name=bn value=HikariSoftware_Cart_WPS>
<input type=hidden name=address_override value=0>
<input type=hidden name=billing_first_name value=XXXXXXXX>
<input type=hidden name=billing_last_name value=XXXXXXXX>
<input type=hidden name=billing_address1 value=XXXXXXXX>
<input type=hidden name=billing_address2 value=XXXXXXXX>
<input type=hidden name=billing_zip value=XXXXXXXX>
<input type=hidden name=billing_city value=XXXXXXXX>
<input type=hidden name=billing_state value=XXXXXXXX>
<input type=hidden name=billing_country value=XXXXXXXX>
<input type=hidden name=email value=XXXXXXXX>
<input type=hidden name=night_phone_b value=XXXXXXXX>
<input type=hidden name=subtotal value=XXXXXXXX>
<input type=hidden name=tax value=3>
<input type=hidden name=template value=templateD>
</form>

When I tested the above code this didn’t work for me. The main culprit for this was the variable “name”

name=”hikashop_paypalintegralevolution_form”

renaming it to:

name="paypal_form"

Allowed the Iframe to Generate


Can you advise where in the plugin this name is generated, so I can modify and test the outcome?

Thanks :-)

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
3 years 11 months ago #326521

Hi,

What he is saying is really strange.
The PayPal server should not see the name of the form sending the data.
Plus, the target=hss_iframe comes from the iframe mode.
So it seems that you still have the payment method configured with the iframe mode.
The file you want to look at is plugins/hikashoppayment/paypalintegralevolution/paypalintegralevolution_end.php
There, you can see a if at the beginning to decide whether to use the iframe mode or the non iframe mode.
So what you could do is to change that line from:

if (($this->payment_params->iframe == 1)) {
to:
if (false) {
to force the non-iframe mode and it should hopefully work fine.
In that file you'll also see the code
name="hikashop_paypalintegralevolution_form"
twice. So if you want to try and follow their recommendation, you can change both of them.
However, I don't see how that would work since javascript code there bases itself on the name of the form:
document.hikashop_paypalintegralevolution_form.submit();
so that you don't have to click on a button to submit the data to PayPal.
If you change the name of the form, this javascript wouldn't work anymore and you would have to manually validate the form with a button or change also the javascript line to use the new name of the form.

Please Log in or Create an account to join the conversation.

  • Posts: 231
  • Thank you received: 4
  • Hikaserial Standard
3 years 11 months ago #326575

Nicolas,
Firstly thank you for your help it is greatly appreciated. :-)

PayPal have replied with a possible issue / solution:

Thanks for the information there, and the code snippet. So looking at the code I can see the issue straight away:
 
<?php
if (($this->payment_params->iframe == 1)) {
?>
 
<iframe  frameborder="0" id="hss_iframe" name="hss_iframe" width="570px" height="540px"></iframe>
 
 
//<div class="hikashop_paypalintegralevolution_end" id="hikashop_paypalintegralevolution_end">
//<form id="hikashop_paypalintegralevolution_form" target="hss_iframe" //name="hikashop_paypalintegralevolution_form" action="<?php echo $this->payment_params->url;?>" //method="post">
 
Looks like the HSS Iframe is being loaded into: (payment_paramsàiframe ==1 ) This would automatically trigger a security issue and result in the refuse to display error. If you take the code directly out of that environment and run it within a local host the Iframe will render without any issues. Wrapping the Iframe in a div container shouldn’t be an issue, however wrapping the Iframe within another Iframe will cause the origin conflict.

So it seems if the initial iFrame can be removed from the plugins/hikashoppayment/paypalintegralevolution/paypalintegralevolution_end.php file then it should work?

I have the contact at PayPal who is helping me, Would it be beneficial for you to communicate with them directly? How can I send you their details securely rather than posting in a public forum?

Thanks again
Lee

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
3 years 11 months ago #326581

Hi,

There is no need. What he is saying is the same thing I'm saying but in a different way.
He is recommending you to change the HTML of the first mode to make it work like the second mode, while I proposed to force the second mode.
So again, change that line from:
if (($this->payment_params->iframe == 1)) {
to:
if (false) {
to force the non-iframe mode and it should hopefully work fine.
You just need to try the solution I proposed and confirm that it fixes the problem.

Please Log in or Create an account to join the conversation.

  • Posts: 231
  • Thank you received: 4
  • Hikaserial Standard
3 years 11 months ago #326716

Nicolas,
PayPal are saying it has to run in iFrame mode.

I'm getting nowhere! :-( this is beyond what I understand. It seems PayPal were able to get it working when they edited the page code, please see the attcahed PDF which is a copy of an email they sent to me.

Does this make any more sense? It seems they can get it working in an iFrame which is what they are requesting needs to be done?

Thanks

Lee

This browser does not support PDFs. Please download the PDF to view it: Download PDF

Attachments:

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
3 years 11 months ago #326724

Hi,

I'm not sure it will work but why not.
Here is a version of the plugin you can install on your website.
It should display the form like that if you have the "iframe" option activated.

File Attachment:

File Name: paypalinte...1-30.zip
File Size:8 KB

Attachments:
Last edit: 3 years 11 months ago by nicolas.

Please Log in or Create an account to join the conversation.

Time to create page: 0.088 seconds
Powered by Kunena Forum