eWAY Payment Gateway WP eCommerce authcodes, WooCommerce order numbers, XSS

Posted

eWAY Payment Gateway v3.4.0 has just been released. It fixes a bug with WP eCommerce authcodes, accepts WooCommerce invoice numbers, and tightens up XSS prevention. It also stops credit card fields from autocompleting.

I’ve discovered that current versions of WP eCommerce can lose the bank authorisation code (authcode) on a transaction sometimes. If the website uses a persistent object cache like memcached, it’s possible for the authcode to be lost when the transaction status changes to Closed, or any other change that updates the transaction. The good news is that literally within minutes of me reporting this to the WP eCommerce team, it was fixed. On a Sunday! Kudos, Justin Sainton.

Because I can’t rely on everyone to update WP eCommerce, I’ve changed how eWAY Payment Gateway saves the authcode so that it works around the problem. It so happens that it’s a minor performance improvement too, so it’ll be staying this way.

The customer reference in WooCommerce now accepts whatever filtered order number is available, instead of just the order ID. By default, it’s still the order ID, but if you install a plugin that generates sequential invoice numbers or prefixes the order ID to generate a pretty order number, eWAY will now get that as the customer reference. You can still override the customer reference with a filter, however.

I’ve disabled autocomplete in the credit card fields. Many web browsers will helpfully remember past field values for you, but this is a bad idea with credit card numbers and other card data. To improve card security, these fields are now marked to disable autocomplete. NB: Google Chrome has a feature that allows you to remember credit card fields anyway, with some security, if you choose to enable it.

While I was neck-deep in the code, I gave it a bit of a freshen up to make it easier to maintain. I also audited the codebase for potential problems with XSS (cross-site scripting) attacks, and cleaned up a couple of things. I haven’t seen any attacks against this plugin, but I also don’t want to in the future either!

You can update to version 3.4.0 from your WordPress plugin admin page. Here’s the full changelog for eWAY Payment Gateway.