We have successfully implemented encrypted website payments for PayPal in our Python + pyramid program, with the exception of a tiny detail: input disinfection. Namely, we would like to help the user by providing as much data as possible for PayPal from our user database. Now it occurred to me that an attacker could change his name to βMr Hacker \ nprice = 0.00β or the like, and thus completely negates the security offered by EWP. I tried the URL encoding of the values, but PayPal does not seem to decrypt the percent escape files in the file.
Our code is based on the django-paypal library; the library completely ignores this problem, displaying happily bare name = value pairs without any checks:
plaintext = 'cert_id=%s\n' % CERT_ID for name, field in self.fields.iteritems(): value = None if name in self.initial: value = self.initial[name] elif field.initial is not None: value = field.initial if value is not None:
So, how to format input for dynamically encrypted buttons? Or is there a better way to achieve similar functionality in the website payment standard to avoid this problem, but in safety?
Update
What we create is a string with the contents of type
item_number=BASIC p3=1 cmd=_xclick-subscriptions business=business@business.com src=1 item_name=Percent%20encoding%20and%20UTF-8:%20%C3%B6 charset=UTF-8 t3=M a3=10.0 sra=1 cert_id=ABCDEFGHIJKLM currency_code=EUR
and encrypt it for EWP; the user submits the form at https://www.sandbox.paypal.com/cgi-bin/webscr . When the user clicks on the button, on the PayPal "Login to complete the checkout" page, the item name is displayed: "Percent% 20encoding% 20 and% 20UTF-8:% 20% C3% B6". Thus, for EWP input, it seems that percent encoding is not decoded.
source share