cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

JavaScript in all hosted payment form transaction requests will be disabled

Message from Authorize:

------------------------------------------------

On February 4, 2015, we are updating our systems to increase the security of the Authorize.Net hosted payment form. As part of this change, support for JavaScript in all hosted payment form transaction requests will be disabled.

Upon review, your account appears to be using JavaScript in one or more fields of your transaction requests. To prevent disruption to your transaction processing, you or your Web developer should immediately update your website or payment solution's integration.

If your code uses JavaScript in any of the hosted payment form fields, any request submitted after February 4th will receive an error, specifically, Response Reason Code 195, "One or more of the HTML type configuration fields do not appear to be safe."

The list of possible fields to check for JavaScript is as follows:

x_header_html_payment_form
x_header2_html_payment_form
x_footer_html_payment_form
x_footer2_html_payment_form
x_header_html_receipt
x_header2_html_receipt
x_footer_html_receipt
x_footer2_html_receipt
Again, please be sure to review your code and make any necessary changes prior to February 4th in order to avoid disruptions to your transaction processing.

 

Background:

------------------------------------------------

 

This site was inherited, but only has really just beeen maintained for years, we finally have them ready to start on their new site, but then we received that message the other day.

 

The email seems kind of vague and doesn't really specify what is changing or really needs changed.

 

Any help would be wonderful thank you!

 

<FORM action="https://secure.authorize.net/gateway/transact.dll" method="POST" name="myform">
					<?

					// xxxxxxx.php contains the loginid and x_tran_key.
					// You may use a more secure alternate method to store these (like a DB / registry).
					include ($_PATHS["auth"] . "simdata.php");
					include ($_PATHS["auth"] . "simlib.php");

					$x_description = $sessionState['state'] . ' E&amp;O Insurance Payment';
					$amount = $q -> policy_total;

					// Trim $ sign if it exists
					if (substr($amount, 0, 1) == "$") {
						$amount = substr($amount, 1);
					}
					//echo "amount = $amount";
					// I would validate the Order here before generating a fingerprint

					// Seed random number for security and better randomness.

					srand(time());
					$sequence = rand(1, 1000);
					// Insert the form elements required for SIM by calling InsertFP
					$ret = InsertFP($loginid, $x_tran_key, $amount, $sequence);

					// Insert rest of the form elements similiar to the legacy weblink integration
					echo("<input type=\"hidden\" name=\"x_description\" value=\"" . $x_description . "\">\n");
					echo("<input type=\"hidden\" name=\"x_login\" value=\"" . $loginid . "\">\n");
					echo("<input type=\"hidden\" name=\"x_amount\" value=\"" . $amount . "\">\n");

					// HTTPS_PATH

					$header_html_start = '
<link href="https://xxxxxx.xxxxxxxx.com/my.css" rel="stylesheet" type="text/css">
<table width="100%" height="85" border="0" bgcolor="#4169E1">
<tr>
<td width="161" height="93" valign="bottom"><strong><font color="#FFFFFF" size="+7" face="Arial, Helvetica, sans-serif">RISC</font></strong></td>
<td width="629" valign="bottom"><font color="#FFFFFF" size="+2" face="Arial, Helvetica, sans-serif"><strong>xxxxxx Services Company, LLC</strong></font></td>

</tr>
</table>
<table align="left" >
<tr>
<td class="copy"><strong>Enrollment Status: </strong></td>
<td class="progress_bar">1</td>
<td class="progress_bar">2</td>
<td class="progress_bar">3</td>
<td class="progress_bar">4</td>
<td class="progress_bar">5</td>
<td class="progress_bar">6</td>';

					$header_html_payment_add = '
<td class="progress_bar_on">7</td>';

					$header_html_receipt_add = '
<td class="progress_bar_on">7</td>';

					$header_html_end = '
<td class="progress_bar">8</td>
</tr>
</table>
';

					$header_html_payment_help = '<br><br><span class="big_text_red"><strong>Please provide your Customer Billing Information <u>EXACTLY</u> as it appears on your credit card statement.</strong><br /><br />If your Customer Billing Information does not match the information on file with your credit card issuer, your transaction will result in an Address Verification AVS mismatch, and your payment will be declined.
</strong></span>';
					//HTTPS_PATH

					$header_html_receipt_help = '<br><br><span>Thank you! Your enrollment for E&O insurance has been accepted and your payment has been processed..
<br /><br />
Please download and print your certificate of coverage and keep it in a safe place. You must have a PDF reader (such as <a href="http://www.adobe.com/products/acrobat/readstep2.html" target="_blank">Adobe Acrobat Reader</a> or <a href="http://www.foxitsoftware.com/pdf/rd_intro.php" target="_blank">Foxit PDF Reader</a>) in order to download your certificate. You will NOT receive a copy of this document by US mail.
<br /><br />
A receipt of payment has been sent to the email address you provided. If you have difficulty downloading this document or feel that an error has been made on your enrollment, please contact RISC at <a href="mailto:policyadministrator@xxxxxxx.com">policyadministrator@xxxxxxxxxx.com</a> or (800) 637-7319.
<br /><br /></span>';

					$header_html_payment = $header_html_start . $header_html_payment_add . $header_html_end . $header_html_payment_help;

					$header_html_receipt = $header_html_receipt_redirect . $header_html_start . $header_html_receipt_add . $header_html_end . $header_html_receipt_help;

					$footer_html_warning = '
<br /><br />
<span class="big_text_red">DO NOT enter a company name in the Company Field unless you are using a company credit card. For payment to go through, the address entered in the billing information MUST MATCH the credit card billing address where the credit card statement is sent. If your submission results in an Address Verification System AVS mismatch, your payment will be declined and you must START OVER and begin a new enrollment.
<br /></span>';

					// no longer used for footer_html_warning: Please do not click the Submit Transaction button more than once, as doing so may result in a duplicate transaction. You may re-submit your payment only if you have been directed by our website to return to this page to modify your information.

					$footer_html = '
<br>
<br><br>
<table width="800" border="0" class="copy">
<tr>
<td width="620" align="center">If you are experiencing difficulties with the quote form,<br> please visit the <a href="http://www.xxxxxx.com/FAQ.htm" target="_blank">FAQ page</a> or <a href="mailto:policyadministrator@xxxxxx.com">email our help desk</a> for assistance.
</td>
</tr>
</table>';

					$footer_html_payment_form = $footer_html_warning . $footer_html;
					// should add quote id for invoice number?
					?>
					<INPUT type="hidden" name="x_invoice_num" value="<?=$quote_id;?>" />
					<INPUT type="hidden" name="x_cust_id" value="<?=$quote_id;?>" />
					<INPUT type="hidden" name="x_email" value="<?=$q -> email;?>" />
					<INPUT type="hidden" name="x_header_html_payment_form" value='<?=$header_html_payment;?>' />
					<INPUT type="hidden" name="x_footer_html_payment_form" value='<?=$footer_html_payment_form;?>' />
					<INPUT type="hidden" name="x_show_form" value="PAYMENT_FORM" />
					<INPUT type="hidden" name="x_header_html_receipt" value='<?=$header_html_receipt;?>' />
					<INPUT type="hidden" name="x_footer_html_receipt" value='<?=$footer_html;?>' />
					<INPUT type="hidden" name="x_receipt_link_method" value="POST" />
					<INPUT type="hidden" name="x_receipt_link_text" value="Click here to download your certificate of coverage." />
					<INPUT type="hidden" name="x_receipt_link_url" value="<?=HTTPS_PATH . 'certificate.php?id=' . $quote_id;?>"  />
					<INPUT type="hidden" name="x_effective_date_id" value="<?=$effective_date_id;?>" />
					<!--
					<INPUT type="hidden" name="x_relay_response" value="True" />
					<INPUT type="hidden" name="x_relay_url" value="http://staging.xxxxx.ribbitt.com/apply_complete.php?id=" />-->
					<?
// allows test mode to exist on proof while live exists on production
//echo "WEBSITE_STATE:".WEBSITE_STATE;
if (WEBSITE_STATE != 'production') {
					?>
					<INPUT type="hidden" name="x_test_request" value="TRUE">
					<? }?>

					<INPUT type="submit" class="Nextbtn" value="Continue and submit credit card information">
				</FORM>
				<script language="javascript">
					//Be sure to uncomment this on live server.
					//document.myform.submit();
				</script><?
				}

				//craig remove comment to go directly to recepit.
				//echo $header_html_payment.$header_html_receipt.$footer_html_payment_form;
				?></td>
			</tr>
		</table>

 

charger71
Member
1 ACCEPTED SOLUTION

Accepted Solutions

The email said if you are calling or running javascript on these fields

x_header_html_payment_form
x_header2_html_payment_form
x_footer_html_payment_form
x_footer2_html_payment_form
x_header_html_receipt
x_header2_html_receipt
x_footer_html_receipt
x_footer2_html_receipt

 

which doesn't look like you were.

View solution in original post

9 REPLIES 9

Did see any refering a .js file or javascript code.

Didn't get the email cause we don't use sim. but it might be a generic email.

But you need also need to check it in the merchant account website. There settings for those fields is in there too.

RaynorC1emen7
Expert

The only use of javascript on that site is for some form validation for name address and phone numbers.

 

Do you know where those settings are at?

 

Thanks!

It is under account settings, couldn't tell you where exactly because having issue connecting to sandbox.authorize.net

Account Settings

Payment Forms

Then is in the header/footer sections.

Great jsut checked that there's nothing in those fields.

The only use of javascript on that site is for some form validation for name address and phone numbers.

Where on the authorize.net site or your site?

 

If it done on your site then you should be ok. as it might just be a generic email.

Yeah it's just on our site, everything gets passed to: https://secure.authorize.net/gateway/transact.dll to complete the transaction. I just didn't know if there was a problem with the way it's being passed to that page, which is the ultimate question.

The email said if you are calling or running javascript on these fields

x_header_html_payment_form
x_header2_html_payment_form
x_footer_html_payment_form
x_footer2_html_payment_form
x_header_html_receipt
x_header2_html_receipt
x_footer_html_receipt
x_footer2_html_receipt

 

which doesn't look like you were.

RaynorC1emen7 - Thank you for your help!