Hint: JS function pagebox() returns current pagebox, provide it as param "pagebox" or as request header 'Pagebox'

Demo of Pagebox technique
Pagebox allows you only:
POST at /payments from /payments/new
POST at /payments/finish after POST to /payments
POST at /order_pizza from /about
Try to bypass and pay from /about, it is vulnerable to XSS!
P.S. Your browser should support Content Security Policy