Fix Summernote XSS possibility (#2859)

BTCPayServer/wwwroot/crowdfund-admin/main.js

@@ -1,4 +1,4 @@
 hljs.initHighlightingOnLoad();
 $(document).ready(function () {
-    $(".richtext").summernote(window.summernoteOptions || {});
+    $(".richtext").summernote(window.summernoteOptions());
 });

BTCPayServer/wwwroot/js/summernote-options.js

@@ -1,8 +1,12 @@
-window.summernoteOptions = {
-    minHeight: 300,
-    tableClassName: 'table table-sm',
-    insertTableMaxSize: {
-        col: 5,
-        row: 10
+window.summernoteOptions = function() {
+    return {
+        minHeight: 300,
+        tableClassName: 'table table-sm',
+        insertTableMaxSize: {
+            col: 5,
+            row: 10
+        },
+        codeviewFilter: true,
+        codeviewFilterRegex: new RegExp($.summernote.options.codeviewFilterRegex.source + '|<.*?( on\\w+?=.*?)>', 'gi')
     }
-};
+}

BTCPayServer/wwwroot/payment-request-admin/main.js

@@ -1,3 +1,3 @@
 $(document).ready(function() {
-    $(".richtext").summernote(window.summernoteOptions || {});
+    $(".richtext").summernote(window.summernoteOptions());
 });

BTCPayServer/wwwroot/pos-admin/main.js

@@ -1,4 +1,4 @@
 hljs.initHighlightingOnLoad();
 $(document).ready(function () {
-    $(".richtext").summernote(window.summernoteOptions || {});
+    $(".richtext").summernote(window.summernoteOptions());
 });

BTCPayServer/wwwroot/vendor/summernote/summernote-bs5.js

@@ -1,4 +1,4 @@
-    /*!
+/*!
  *
  * Super simple wysiwyg editor v0.8.18
  * https://summernote.org
@@ -5366,6 +5366,9 @@ var Editor_Editor = /*#__PURE__*/function () {
         // if url doesn't have any protocol and not even a relative or a label, use http:// as default
         linkUrl = /^([A-Za-z][A-Za-z0-9+-.]*\:|#|\/)/.test(linkUrl) ? linkUrl : _this.options.defaultProtocol + linkUrl;
       }
+      
+      linkUrl = linkUrl.replace(this.options.codeviewFilterRegex, '');
+      linkText = linkText.replace(this.options.codeviewFilterRegex, '');
 
       var anchors = [];