Checkmarx fixes. Also recommitted correct version of hybris/bin/b2b/isvb2bpaymentaddon/acceleratoraddon/web/webroot/WEB-INF/views/responsive/pages/checkout/multi/checkoutSummaryPage.jsp

Author: rharot-visa

hybris/bin/b2b/isvb2bpaymentaddon/acceleratoraddon/web/webroot/WEB-INF/views/responsive/pages/checkout/multi/checkoutSummaryPage.jsp

@@ -1,167 +1,94 @@
 <%@ page trimDirectiveWhitespaces="true"%>
-<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
 <%@ taglib prefix="template" tagdir="/WEB-INF/tags/responsive/template"%>
 <%@ taglib prefix="cms" uri="http://hybris.com/tld/cmstags"%>
 <%@ taglib prefix="multi-checkout" tagdir="/WEB-INF/tags/responsive/checkout/multi"%>
+<%@ taglib prefix="b2b-multi-checkout" tagdir="/WEB-INF/tags/addons/b2bacceleratoraddon/responsive/checkout/multi" %>
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
 <%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
 
 <spring:url value="/checkout/multi/summary/placeOrder" var="placeOrderUrl"/>
 <spring:url value="/checkout/multi/termsAndConditions" var="getTermsAndConditionsUrl"/>
-
 <%@ taglib prefix="ycommerce" uri="http://hybris.com/tld/ycommercetags" %>
-<%@ taglib prefix="isv" uri="/WEB-INF/tld/addons/isvpaymentaddon/isv.tld"%>
 
 <%@ taglib prefix="fraud" tagdir="/WEB-INF/tags/addons/isvpaymentaddon/responsive/fraud" %>
-<%@ taglib prefix="visacheckout" tagdir="/WEB-INF/tags/addons/isvpaymentaddon/responsive/payment/visacheckout" %>
-<%@ taglib prefix="klarna" tagdir="/WEB-INF/tags/addons/isvpaymentaddon/responsive/payment/klarna" %>
-<%@ taglib prefix="wechat" tagdir="/WEB-INF/tags/addons/isvpaymentaddon/responsive/payment/wechat" %>
-<%@ taglib prefix="multi-checkout-isv" tagdir="/WEB-INF/tags/addons/isvpaymentaddon/responsive/checkout/multi"%>
-<%@ taglib prefix="shared" tagdir="/WEB-INF/tags/addons/isvpaymentaddon/responsive/shared" %>
-<%@ taglib prefix="isv3ds" tagdir="/WEB-INF/tags/addons/isvpaymentaddon/responsive/payment/3ds" %>
 
 <template:page pageTitle="${pageTitle}" hideHeaderLinks="true">
 
-<c:if test="${visaCheckoutEnabled}">
-    <visacheckout:vcInit
-            apiKey="${visaCheckoutAPIKey}"
-            currency="${cartData.totalPriceWithTax.currencyIso}"
-            total="${cartData.totalPriceWithTax.value}"/>
-</c:if>
-
-<div class="row">
-    <div class="col-sm-6">
-    	<div class="checkout-headline">
-    		<span class="glyphicon glyphicon-lock"></span>
-            <spring:theme code="checkout.multi.secure.checkout" />
-        </div>
-		<multi-checkout:checkoutSteps checkoutSteps="${checkoutSteps}" progressBarId="${progressBarId}">
-			<ycommerce:testId code="checkoutStepFour">
-
-                <jsp:include page="payment/checkoutPaymentModes.jsp"/>
-
-                <c:if test="${klarnaEnabled}">
-                    <klarna:klarnaInit klarnaSDKURL="${klarnaSDKUrl}"/>
-                </c:if>
 
-                <isv:pciStrategyType type="FLEX">
-                    <jsp:include page="payment/flexCardPaymentDetails.jsp"/>
-                </isv:pciStrategyType>
-
-                <isv:pciStrategyType type="HOP">
-                    <c:url var="hopFormAction" value="/checkout/payment/sa/hop"/>
-                    <form:form id="hopRequestForm" name="hopRequestForm" action="${hopFormAction}"/>
-                </isv:pciStrategyType>
-
-                <isv:pciStrategyType type="SOP">
-                    <jsp:include page="payment/checkoutCardPaymentDetails.jsp"/>
-                    <c:url var="sopFormAction" value="/checkout/payment/sa/sop"/>
-                    <div id="sopIframeCbox">
-                        <iframe id="sopRequestIframe" src="${sopFormAction}"></iframe>
-                    </div>
-                </isv:pciStrategyType>
-
-                <jsp:include page="payment/vcCardPaymentDetails.jsp"/>
+    <div class="row">
+        <div class="col-sm-6">
+            <div class="checkout-headline">
+                <span class="glyphicon glyphicon-lock"></span>
+                <spring:theme code="checkout.multi.secure.checkout"></spring:theme>
+            </div>
+
+            <multi-checkout:checkoutSteps checkoutSteps="${checkoutSteps}" progressBarId="${progressBarId}">
+                <ycommerce:testId code="checkoutStepFour">
+
+                    <c:if test="${cartData.paymentType.code == 'CARD'}">
+                        <c:choose>
+                            <c:when test="${paymentPciType == 'HOP'}">
+                                <c:url var="hopFormAction" value="/checkout/payment/sa/hop"/>
+                                <form:form id="hopRequestForm" name="hopRequestForm" action="${hopFormAction}"/>
+                            </c:when>
+                            <c:otherwise>
+                                <jsp:include page="/WEB-INF/views/addons/isvpaymentaddon/responsive/pages/checkout/multi/payment/checkoutCardPaymentDetails.jsp"/>
+                                <c:url var="sopFormAction" value="/checkout/payment/sa/sop"/>
+                                <div id="sopIframeCbox">
+                                    <iframe id="sopRequestIframe" src="${sopFormAction}"></iframe>
+                                </div>
+                            </c:otherwise>
+                        </c:choose>
+                    </c:if>
 
-                <div class="checkout-review hidden-xs">
-                    <div class="checkout-order-summary">
-                        <multi-checkout:orderTotals cartData="${cartData}" showTaxEstimate="${showTaxEstimate}" showTax="${showTax}" subtotalsCssClasses="dark"/>
+                    <div class="checkout-review hidden-xs">
+                        <div class="checkout-order-summary">
+                            <multi-checkout:orderTotals cartData="${cartData}" showTaxEstimate="${showTaxEstimate}" showTax="${showTax}" subtotalsCssClasses="dark"/>
+                        </div>
                     </div>
-                </div>
-
-                <div class="display-none">
-                        <div class="checkout-weChatPaymentDetails m-2">
-                            <div class="row m-2">
-                                <div class="col-xs-12  w-100 border-0">
-                                    <iframe id="weChatPaymentQRIframe" src="" style="height: 304px;"></iframe>
-                                </div>
-                            </div>
-                            <div class="row m-2">
-                                <label class="weChatModalInstructions">
-                                    <spring:theme code="checkout.summary.paymentMethod.weChat.modal.instructions"/>
-                                </label>
-                            </div>
-                            <div class="row m-2">
-                                <button type="submit" class="btn btn-primary btn-block btn-wechat-complete-payment">
-                                    <spring:theme code="checkout.summary.paymentMethod.weChat.modal.submit" />
-                                </button>
-                            </div>
-                            <div class="row mb-2">
-                                <div class="confirm-wechat-payment-spinner" hidden="hidden">
-                                    <img src="${contextPath}/_ui/responsive/common/images/spinner.gif"/>
-                                </div>
-                            </div>
-                            <div class="display-none">
-                                <label id="weChatModalTitle">
-                                    <spring:theme code="checkout.summary.paymentMethod.weChat.modal.title"/>
+                    <div class="place-order-form hidden-xs">
+                        <form:form action="${placeOrderUrl}" id="placeOrderForm1" modelAttribute="placeOrderForm">
+                            <div class="checkbox">
+                                <label> <form:checkbox id="Terms1" path="termsCheck" />
+                                    <spring:theme code="checkout.summary.placeOrder.readTermsAndConditions" arguments="${getTermsAndConditionsUrl}"/>
                                 </label>
                             </div>
-                        </div>
-                </div>
-
-                <div class="place-order-form hidden-xs">
-                    <form:form action="${placeOrderUrl}" id="placeOrderForm1" modelAttribute="placeOrderForm">
-                        <div class="checkbox">
-                            <label> <form:checkbox id="Terms1" path="termsCheck" />
-                                <spring:theme code="checkout.summary.placeOrder.readTermsAndConditions" arguments="${getTermsAndConditionsUrl}" text="Terms and Conditions"/>
-                            </label>
-                        </div>
 
-                        <div class="alert alert-danger tc-unchecked-alert" hidden="hidden">
-                            <spring:theme code="checkout.terms.and.conditions.unchecked.error"/>
-                        </div>
-
-                        <div class="place-order-3ds-notification">
-                            <spring:theme code="checkout.summary.placeOrder.3ds.popup.notification"/>
-                        </div>
-
-                        <div class="placeOrderBtnDiv">
-                            <div class="spinner-wrapper">
-                                <div class="spinner"></div>
-                            </div>
-                            <button id="placeOrder" type="button" class="btn btn-primary cs_btn-place-order btn-block">
-                                <spring:theme code="checkout.summary.placeOrder" text="Place Order"/>
+                            <button id="placeOrder" type="submit" class="btn btn-primary btn-block btn-place-order btn-block btn-lg checkoutSummaryButton" disabled="disabled">
+                                <spring:theme code="checkout.summary.placeOrder"/>
                             </button>
-                        </div>
-
-                        <div class="applePayBtnDiv" hidden="hidden">
-                            <a class="applePayBtn" role="link"></a>
-                        </div>
 
-                        <div class="googlePayBtnDiv" hidden="hidden"></div>
-                    </form:form>
+                            <c:if test="${cartData.quoteData eq null}">
+                                <button id="scheduleReplenishment" type="button" class="btn btn-default btn-block scheduleReplenishmentButton checkoutSummaryButton" disabled="disabled">
+                                    <spring:theme code="checkout.summary.scheduleReplenishment"/>
+                                </button>
 
-                    <c:if test="${visaCheckoutEnabled}">
-                        <visacheckout:vcButton imageUrl="${visaCheckoutImageUrl}" locale="${locale}"/>
-                    </c:if>
-                </div>
+                                <b2b-multi-checkout:replenishmentScheduleForm/>
+                            </c:if>
+                        </form:form>
+                    </div>
 
-            </ycommerce:testId>
-		</multi-checkout:checkoutSteps>
-    </div>
+                    <script type="application/javascript">
+                        var isvB2BPaymentMethod = '${cartData.paymentType.code}';
+                    </script>
 
-    <div class="col-sm-6">
-		<multi-checkout-isv:checkoutOrderSummary cartData="${cartData}" showDeliveryAddress="true" showPaymentInfo="true" showTaxEstimate="true" showTax="true" />
-	</div>
+                </ycommerce:testId>
+            </multi-checkout:checkoutSteps>
+        </div>
 
-    <c:if test="${visaCheckoutEnabled}">
-        <visacheckout:vcLoadSDK sdkUrl="${visaCheckoutSDKUrl}"/>
-    </c:if>
+        <div class="col-sm-6">
+            <b2b-multi-checkout:checkoutOrderSummary cartData="${cartData}" showDeliveryAddress="true" showPaymentInfo="true" showTaxEstimate="true" showTax="true" />
+        </div>
 
-    <div class="col-sm-12 col-lg-12">
-        <br class="hidden-lg">
-        <cms:pageSlot position="SideContent" var="feature" element="div" class="checkout-help">
-            <cms:component component="${feature}"/>
-        </cms:pageSlot>
+        <div class="col-sm-12 col-lg-12">
+            <br class="hidden-lg">
+            <cms:pageSlot position="SideContent" var="feature" element="div" class="checkout-help">
+                <cms:component component="${feature}"/>
+            </cms:pageSlot>
+        </div>
     </div>
-</div>
 
-<fraud:deviceFingerPrint deviceFingerPrint="${deviceFingerPrint}"/>
+    <fraud:deviceFingerPrint deviceFingerPrint="${deviceFingerPrint}"/>
 
 </template:page>
-
-<%--Tags below will render with 'ACC.config' JS namespace available--%>
-
-<shared:jsInit/>
-
-<isv3ds:cardinalCommerce/>

hybris/bin/b2b/isvpaymentaddon/acceleratoraddon/web/webroot/WEB-INF/views/responsive/pages/checkout/multi/checkoutSummaryPage.jsp

@@ -57,7 +57,7 @@
                     <jsp:include page="payment/checkoutCardPaymentDetails.jsp"/>
                     <c:url var="sopFormAction" value="/checkout/payment/sa/sop"/>
                     <div id="sopIframeCbox">
-                        <iframe id="sopRequestIframe" src="${sopFormAction}" sandbox ></iframe>
+                        <iframe id="sopRequestIframe" src="${sopFormAction}"></iframe>
                     </div>
                 </isv:pciStrategyType>
 
@@ -73,7 +73,7 @@
                         <div class="checkout-weChatPaymentDetails m-2">
                             <div class="row m-2">
                                 <div class="col-xs-12  w-100 border-0">
-                                    <iframe id="weChatPaymentQRIframe" src="" style="height: 304px;" sandbox ></iframe>
+                                    <iframe id="weChatPaymentQRIframe" src="" style="height: 304px;"></iframe>
                                 </div>
                             </div>
                             <div class="row m-2">

hybris/bin/b2c/isvb2cpaymentaddon/acceleratoraddon/web/src/isv/sap/payment/addon/b2c/controllers/pages/checkout/payment/flex/FlexMicroformController.java

@@ -78,15 +78,13 @@ public AjaxResponse newJwk(final HttpSession session, final UriComponentsBuilder
         final Map<String, String> captureContext = flexService.createKey(targetOrigin);
 
         session.setAttribute(FLEX_CAPTURE_CONTEXT_ATTRIBUTE, captureContext.get("captureContext"));
-
-        // session.setAttribute("clientLiberary", captureContext.get("clientLiberary"));
-        // session.setAttribute("clientLibraryIntegrity",captureContext.get("clientLibraryIntegrity"));
+        
+        //RCH: To be extra safe, we can sanitize inputs to AjaxResponse.
         return AjaxResponse.success()
-                        .put("captureContext", captureContext.get("captureContext"))
-                        .put("clientLibrary", captureContext.get("clientLibrary"))
-.put("clientLibraryIntegrity", captureContext.get("clientLibraryIntegrity"));
+                .put("captureContext", StringEscapeUtils.escapeHtml4(captureContext.get("captureContext")))
+                .put("clientLibrary", StringEscapeUtils.escapeHtml4(captureContext.get("clientLibrary")))
+                .put("clientLibraryIntegrity", StringEscapeUtils.escapeHtml4(captureContext.get("clientLibraryIntegrity")));
 
-        // return captureContext.get("captureContext");
     }
 
     @PostMapping(value = "/verifyToken", consumes = MediaType.APPLICATION_JSON_VALUE)