Before encryption, the string you send to SagePay is formatted like a URL.
...&Amount=99.99&Description=An order from My Company...
What seems to be missing from the documentation is how to escape these values. I'm stripping out invalid characters per the integration guide but am wondering about special characters that could be in the data sent from the online shop (e.g. ampersands in product names).
To make it bulletproof should I be using htmlspecialchars, htmlentites or urlencode on these values? The only critical thing I can see is to strip colons from the basket string since this is used as a separator. There seems to be no way to escape it.
I've been using 2.23 but am upgrading now to 3.00. Other than the encryption function (it now uses proper AES with padding and CBC) it seems like you can keep the old code.
I don't generally use baskets, but I just did a quick check on ampersand in the description field - if you leave it unencoded, it renders fine on the payment pages and in My Sage Pay.