Javascript codes in callback script

Update on this...

I think Worldpay don't allow javascript (such as google analytics, nice menus etc) to be executed on their domain (link below). I am not sure whether this means
1) if you have javascript it won't work on the 'order complete' (= Worldpay) page ie will just be ignored
or
2) Worldpay require you to remove all javascript from the 'order complete' (= Worldpay) page before they approve the website.

Any ideas please?

Thanks

http://www.worldpay.com/support/bg/index.php?page=news&sub=xss&c=UK#ppcust

From 5th January any scripting will be suppressed on output to the web browser for all WorldPay merchants (no exceptions or opt-out possible) - unfortunately this will prevent web applications such as Google Analytics from being used on our hosted payment pages but such coding may still be applied to a merchant's website at the merchant's own risk. We will restrict the types of coding that will be accepted on the hosted payment page by introducing a list of permitted attributes (often referred to as a 'whitelist') from the Open Web Application Security Project (OWASP)). Only codes that that are included on the reference list will be displayed when output to a web browser. Validation of all incoming data and appropriate encoding of all output data will prevent unauthorised scripts from running in the browser. NOTE: we announced previously that this change would take place on 23rd November 2009, but we had to reschedule.
We will be using the OWASP's 'AntiSamy' Project as a guide - for details please refer to AntiSamy Project allowed attribute list
The changes we are making will not affect the processing of payments as such. Although you do need to be aware that in cases where prohibited coding has already been used there maybe some visual changes to a payment page.

Hi all,

I am trying to understand what the worldpay support guy is telling me.

My interpretation is this - the worldpay domain will not execute javascript. On some (maybe non-Drupal) websites the javascript might be essential to the page and so not executing javascript will result in a white / blank page. On other websites (eg mine) the non-execution of javascript would make no noticeable / significant difference.

My 'order complete' page http://www.example.com/cart/worldpay/complete contains javascript. This is not causing any problem in the test environment. The support guy has told me that what happens in the live environment is what happens in the test environment ie not something different. If that is correct then it seems to me I have no problem. But then the support guy said to me:

"A white blank page is a symptom of our system detecting your Javascript codes on your callback page. I have seen a couple or even dozens happening in the past and have advise our merchant to do the necessary (removing Javascript) and this helps them. When your customer completes the payment, we will display the HTML contents of your callback script on our server but once we detected Javascript, we will display a blank page."

He doesn't say he has seen a white page on my Drupal site so I wonder if he is talking about non-Drupal sites. I think that once the 'order complete' page comes through the Worldpay server role is finished so I don't understand at what point he is saying there will be a blank page. Also this seems to say that any javascript will always result in a blank / white page but this does not seem correct because I have never seen a blank / white page in the test environment.

So can anyone please tell me do you have javascript in your http://www.example.com/cart/worldpay/complete page? If so has this ever caused a problem (such as a white page) or has Worldpay ever told you this is a problem and that you should remove all javascript from the order complete page?

Thanks

Update - today I phoned worldpay tech support in the UK. Maybe I should have done this before. They confirmed my suspicion that the worldpay 'tech support' guy (in Singapore) has been misinforming me and wasting my time!

My understanding was correct =
The Worldpay domain will not execute javascript
the consequence of not executing javascript will depend on the function of that javascript.
For some websites that javascript might be essential to the display of that page and so not executing the javascript could cause a display problem or even a white / blank page.
Some javascripts (such as google analytics) are not essential to the display of the page so not executing this javascript just means that google analytics will not work on this page ie does not affect the display of the page.
The test environment is accurate so if my javascript is not causing display problems in the test environment, then there is no problem.

It seems that Worldpay employ 'tech support' people in Singapore who know nothing about Worldpay tech support.