#29 new
random.numbers (at gmail)

exception raised on some payflow input

Reported by random.numbers (at gmail) | June 28th, 2008 @ 04:14 PM

I was doing some form fuzzing testing and discovered that if I try to setup a recurring payflow profile (using payflow_nv), and have set all the fields of the card and address to 

<HTML><BODY>\n<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">\n<?import namespace="t" implementation="#default#time2">\n<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>

Then paypal payflow returns the string 

"RESULT=0&RPREF=R7850DCC4C9D&PROFILEID=RT0000000402&RESPMSG=Approved&<XMLPayResponse><ResponseData><Vendor></Vendor><Partner></Partner><TransactionResults><TransactionResult><Result>29</Result><AVSResult><StreetMatch>Service Not Requested</StreetMatch><ZipMatch>Service Not Requested</ZipMatch></AVSResult><CVResult>Service Not Requested</CVResult><Message>Invalid XML stream: \nInvalid XML document: prodInfo\nError detected at location: (line 1, position 1): \"Invalid document structure\"\nCorrect the document and resubmit.</Message><PNRef></PNRef><OrigResult>0</OrigResult></TransactionResult></TransactionResults></ResponseData></XMLPayResponse>"

which in the "parse" method of payflow_nv_common.rb raises and exception for "nil.underscore" since the regexp doesn't match that last line.

Comments and changes to this ticket

  • Cody Fauser

    Cody Fauser June 29th, 2008 @ 10:10 AM

    • → Tag changed from “” to “payflownv”

    The PayflowNvGateway is not recommended for use yet. It was originally meant to replace the PayflowGateway, which uses the XMLPay API.

    The NV pair API seems like a great idea until you find out that PayPal returns XML embedded in the name-value response, but only sometimes. The current PayflowNVGateway does not yet handle parsing the XML out of the name-value response yet, and there is a failing test case in ActiveMerchant to prove it.

    The PayflowGateway is exactly the same as the PayflowNvGateway, but uses XMLPay and has been used in production for a long time now. PayPal is no longer abandoning the XMLPay API, so I would recommend going that route, since it currently works.

Please Login or create a free account to add a new comment.

You can update this ticket by sending an email to from your email client. (help)

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

People watching this ticket

Tags