diff --git a/modules/ppcp-session/src/Cancellation/CancelController.php b/modules/ppcp-session/src/Cancellation/CancelController.php
index 3c23983f5..79dbd4dcf 100644
--- a/modules/ppcp-session/src/Cancellation/CancelController.php
+++ b/modules/ppcp-session/src/Cancellation/CancelController.php
@@ -16,6 +16,8 @@ use WooCommerce\PayPalCommerce\Session\SessionHandler;
  */
 class CancelController {
 
+	public const NONCE = 'ppcp-cancel';
+
 	/**
 	 * The Session handler.
 	 *
@@ -49,12 +51,11 @@ class CancelController {
 	 * Runs the controller.
 	 */
 	public function run() {
-		$param_name = 'ppcp-cancel';
-		$nonce      = 'ppcp-cancel-' . get_current_user_id();
+		$param_name = self::NONCE;
 		if ( isset( $_GET[ $param_name ] ) && // Input var ok.
 			wp_verify_nonce(
 				sanitize_text_field( wp_unslash( $_GET[ $param_name ] ) ), // Input var ok.
-				$nonce
+				self::NONCE
 			)
 		) { // Input var ok.
 			$this->session_handler->destroy_session_data();
@@ -74,11 +75,12 @@ class CancelController {
 			return; // Ignore for card buttons.
 		}
 
-		$url = add_query_arg( array( $param_name => wp_create_nonce( $nonce ) ), wc_get_checkout_url() );
+		$url = add_query_arg( array( $param_name => wp_create_nonce( self::NONCE ) ), wc_get_checkout_url() );
 		add_action(
 			'woocommerce_review_order_after_submit',
 			function () use ( $url ) {
-				$this->view->render_session_cancellation( $url, $this->session_handler->funding_source() );
+				// phpcs:ignore WordPress.Security.EscapeOutput
+				echo $this->view->render_session_cancellation( $url, $this->session_handler->funding_source() );
 			}
 		);
 	}
diff --git a/modules/ppcp-session/src/Cancellation/CancelView.php b/modules/ppcp-session/src/Cancellation/CancelView.php
index cdaf9b41e..2242b15c1 100644
--- a/modules/ppcp-session/src/Cancellation/CancelView.php
+++ b/modules/ppcp-session/src/Cancellation/CancelView.php
@@ -50,7 +50,8 @@ class CancelView {
 	 * @param string      $url The URL.
 	 * @param string|null $funding_source The ID of the funding source, such as 'venmo'.
 	 */
-	public function render_session_cancellation( string $url, ?string $funding_source ) {
+	public function render_session_cancellation( string $url, ?string $funding_source ): string {
+		ob_start();
 		?>
 		<p id="ppcp-cancel"
 			class="has-text-align-center ppcp-cancel"
@@ -73,5 +74,6 @@ class CancelView {
 			?>
 		</p>
 		<?php
+		return (string) ob_get_clean();
 	}
 }