I am a supplier using cXML for Punch Out, and my security team want's me to URLEncode the StartPage URL before sending out the PunchoutSetupResponse. Is this advisable, i.e. will buyer ERP systems know to deencode the URL before attempting to redirect to my site?
Both Ariba Buyer and P2P should allow a PunchOut site to send a URL-encoded StartPage URL in the PunchOutSetupResponse document. I haven't seen this myself, but the subsequent PunchOutOrderMessage that the PunchOut site sends HAS to be either URL-encoded or base64-encoded, so I assume that Buyer and P2P can handle this encoding in the earlier document in the flow.