I occassionally receive:
Error Processing Payment We're sorry, we can't complete your payment at this time. Please try again later.
This error occurs when being sent to PayPal, so no user interaction with PayPal has yet occurred.
This error has only started happening in the last few months.
Payers name is Bill O'Reilly .
The form attributes use the php esc_attr() to do the appropriate substitutions and the resultant HTML example is included below.
<input type="hidden" name="charset" value="utf-8">
<input type="hidden" name="cmd" value="_hosted-payment">
.
.
<input type="hidden" id="last_name" name="billing_last_name" value="O'Reilly">
If the data is altered to remove the apostrophe, the following resulting HTML works correctly:
<input type="hidden" id="last_name" name="billing_last_name" value="OReilly">
Has anything changed recently on how we should escape these characters when submitting a form to PayPal.
Further Information / Research
The only instances where this has been identified as occurring is where the target PayPal account is a PayPal-PRO account. (PayPal Standard works fine).
The endpoint for PayPal-PRO is: https://securepayments.paypal.com/webapps/HostedSoleSolutionApp/webflow/sparta/hostedSoleSolutionProcess
I have also tried using
htmlspecialchars($member->lastname, ENT_COMPAT, 'UTF-8')
instead of
esc_attr($member->lastname)
Which gives a resulting HTML of:
<input type="hidden" id="last_name" name="billing_last_name" value="O'Reilly">
But that results in exactly the same error.
Many thanks.
I have now heard back from PayPal and yes there has been a recent change to the security filter that they use - only on the PayPal Pro hosted solution, but I suspect it would be wise to implement for PayPal Std also.
The reason for the new filter was to remove any characters deemed a possible risk for XSS and this does include the apostrophe and the minus sign (dash) - both frequently used in names e.g. O'Reilly or a double barrelled Harrington-Smith for example.
The answer is to have a PayPal filter that will both remove prohibited characters and substitute those you wish to keep e.g.
An example filter would be:
$fieldvalue = preg_replace('/["=;<>\n]/u', '', $fieldvalue);
$fieldvalue = str_replace("'", "’", $fieldvalue); //U+2019 Right single quotation mark. Allowed instead of apostrophe
$fieldvalue = str_replace('-', "‐", $fieldvalue); //U+2010 Hyphen
This additionally removes all other prohibited characters.
See PayPal references: