cancel
Showing results for 
Search instead for 
Did you mean: 

SIM x_header_html_xx broken with IE8 XSS filter

Similar issue has been posted on this forum but was never addressed properly by Authorize.Net. I called the support and the answer is a very disappointing "IE 8 is not yet supported". I then questioned about the list of officially supported browsers and the support could not give such a list. With all the new windows 7 come packed with IE 8 already, more and more people will be using IE 8, I don't not think it's a responsible answer from Authorize.Net, at least it's a slow response to its customer, especially consider how simple the solution is.

 

 

Any way, here is the problem description, followed by the solution that Authorize.Net needs to implement (Google did this).

 

[The Problem] 

Due to the 255 char limit when trying to set header / footer on the merchant settings page, many times the only option is, and this is recommended by Authorize.Net, to use the form post API with the following parameters:
  x_header_html_payment_form
  x_footer_html_payment_form
  x_header_html_receipt
  x_footer_html_receipt

 

It works for all major browsers, except IE 8. IE 8 added a new XSS (Cross-Site Scripting) filter which is turned on by default. This filter is triggered for SIM because:
- Payment form page and the post target URL are from different domain
- Posted data appears unchanged in the returned response page (the HTML data we set are echoed back by Authorize.Net untouched)

 

 

So what you see is that the HTML content you posted over using the above parameters are commented out by IE 8, and even worse is that IE 8 display a message saying "Internet Explorer has modified this page to help prevent cross-site scripting." Making your site seems contains malicious code.

 

 

[The Fix]

The fix is actually fairly simple, but it needs to be applied by Authorize.Net:
On the payment page, set this HTTP header (published by Microsoft):
  X-XSS-Protection: 0
This will disable the filter for the payment page.

 

 

[Workaround]
I don't think there is any work around. The best you can do before Authorize.Net fixes this is to shrink your HTML to fit the 255 limit. Meanwhile, try your best to push Authorize.Net to fix it.

 

 

BTW, one answer I received from Authorize.Net support was that: "This is a Microsoft issue, please contact them to get it fixed." Well, if Authorize.Net don't plan to support IE 8, sure.

snowbug
Member
10 REPLIES 10

It wasn't fixed as of a couple months ago. jemerick's work around above is the best solution in my opinion, but may not work for everybody.

 

The fix snowbug proposed is long overdue and is the correct way for this to be fixed. If it isn't fixed, the SIM guide pdf at least should be updated to make the limitations clear to developers before they start coding.

jruser
Contributor

Type a product name