diff --git a/src/main/java/org/olat/resource/accesscontrol/provider/paypalcheckout/ui/PaypalSmartButtonAccessController.java b/src/main/java/org/olat/resource/accesscontrol/provider/paypalcheckout/ui/PaypalSmartButtonAccessController.java
index de1b6f1c4701072959409e921f79f374537184b8..23c637a07089e322231c33bae0068f20e8a376a4 100644
--- a/src/main/java/org/olat/resource/accesscontrol/provider/paypalcheckout/ui/PaypalSmartButtonAccessController.java
+++ b/src/main/java/org/olat/resource/accesscontrol/provider/paypalcheckout/ui/PaypalSmartButtonAccessController.java
@@ -28,6 +28,7 @@ import org.olat.core.gui.components.htmlheader.jscss.JSAndCSSFormItem;
 import org.olat.core.gui.control.Controller;
 import org.olat.core.gui.control.Event;
 import org.olat.core.gui.control.WindowControl;
+import org.olat.core.util.Formatter;
 import org.olat.core.util.StringHelper;
 import org.olat.resource.accesscontrol.OfferAccess;
 import org.olat.resource.accesscontrol.Price;
@@ -71,9 +72,11 @@ public class PaypalSmartButtonAccessController extends FormBasicController imple
 			layoutCont.contextPut("currency", currency);
 			String excludeFundings = paypalModule.getExcludeFundings();
 			layoutCont.contextPut("excludeFundings", excludeFundings == null ? "" : excludeFundings);
+			layoutCont.contextPut("csrfToken", ureq.getUserSession().getCsrfToken());
 			
 			String description = link.getOffer().getDescription();
 			if(StringHelper.containsNonWhitespace(description)) {
+				description = Formatter.escWithBR(description).toString();
 				description = StringHelper.xssScan(description);
 				layoutCont.contextPut("description", description);
 			}
diff --git a/src/main/java/org/olat/resource/accesscontrol/provider/paypalcheckout/ui/_content/paypal_smart_buttons.html b/src/main/java/org/olat/resource/accesscontrol/provider/paypalcheckout/ui/_content/paypal_smart_buttons.html
index 2209d67478a49fcf13cd5e40791211c79b7de8ef..8fa7d7f612e78d507ce30ef6401cecf853ac55d8 100644
--- a/src/main/java/org/olat/resource/accesscontrol/provider/paypalcheckout/ui/_content/paypal_smart_buttons.html
+++ b/src/main/java/org/olat/resource/accesscontrol/provider/paypalcheckout/ui/_content/paypal_smart_buttons.html
@@ -18,26 +18,33 @@
 			</div>
 			
 			<div id="paypal_buttons_${r.getCId()}">
-				<script defer>
+				<script defer data-csp-nonce="${csrfToken}">
 				jQuery(function() {
 					jQuery.ajax({
 						url: 'https://www.paypal.com/sdk/js?client-id=$clientId&currency=${currency}&intent=authorize&commit=true&disable-funding=${excludeFundings}',
-						cache: true,
+						cache: true,//paypal don't like the anti-cache parameter
 						dataType: "script",
 						success: loadButtons,
 						error: errorButtons,
 					});
 					
 					function errorButtons() {
-						location.reload();
+						if(window.console) console.log('Errors');
 					}
 					
 					function loadButtons() {
 						try {
-							internalLoadButtons();
+							setTimeout(function() {
+								internalLoadButtons();
+								var numOfPayPal = jQuery('#paypal_buttons_${r.getCId()} iframe').length;
+								if(numOfPayPal == 0) {
+									setTimeout(function() {
+										internalLoadButtons();
+									}, 100);
+								}
+							}, 100);
 						} catch(e) {
 							if(window.console) console.log(e);
-							location.reload();
 						}
 					}