From 688e873f7a4d7fc79dc3be891126b889e4da9d68 Mon Sep 17 00:00:00 2001
From: Kukks <evilkukka@gmail.com>
Date: Sat, 29 Jul 2023 09:13:53 +0200
Subject: [PATCH] fixes #5203

---
 BTCPayServer.Abstractions/Services/Safe.cs         |  5 +++++
 .../Views/Shared/PointOfSale/Public/Cart.cshtml    | 14 ++++++++------
 BTCPayServer/wwwroot/pos/cart.js                   |  2 +-
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/BTCPayServer.Abstractions/Services/Safe.cs b/BTCPayServer.Abstractions/Services/Safe.cs
index 8ddb7b9a4..cb8a22d82 100644
--- a/BTCPayServer.Abstractions/Services/Safe.cs
+++ b/BTCPayServer.Abstractions/Services/Safe.cs
@@ -1,3 +1,4 @@
+using System.Web;
 using Ganss.XSS;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
@@ -21,6 +22,10 @@ namespace BTCPayServer.Abstractions.Services
         {
             return _htmlHelper.Raw(_htmlSanitizer.Sanitize(value));
         }
+        public IHtmlContent RawEncode(string value)
+        {
+            return _htmlHelper.Raw(HttpUtility.HtmlEncode(_htmlSanitizer.Sanitize(value)));
+        }
 
         public IHtmlContent Json(object model)
         {
diff --git a/BTCPayServer/Views/Shared/PointOfSale/Public/Cart.cshtml b/BTCPayServer/Views/Shared/PointOfSale/Public/Cart.cshtml
index aef4b0324..75155095b 100644
--- a/BTCPayServer/Views/Shared/PointOfSale/Public/Cart.cshtml
+++ b/BTCPayServer/Views/Shared/PointOfSale/Public/Cart.cshtml
@@ -1,6 +1,8 @@
 @using BTCPayServer.Plugins.PointOfSale.Models
 @using BTCPayServer.Services
 @using Newtonsoft.Json.Linq;
+@using BTCPayServer.Abstractions.TagHelpers
+@using Microsoft.AspNetCore.Mvc.TagHelpers
 @inject DisplayFormatter DisplayFormatter
 @inject BTCPayServer.Security.ContentSecurityPolicies Csp
 @model BTCPayServer.Plugins.PointOfSale.Models.ViewPointOfSaleViewModel
@@ -63,15 +65,15 @@
                             ? item.PriceType == ViewPointOfSaleViewModel.ItemPriceType.Topup ? Model.CustomButtonText : Model.ButtonText
                             : item.BuyButtonText;
                         buttonText = buttonText.Replace("{0}", formatted).Replace("{Price}", formatted);
-        
-                        <div class="col posItem" :class="{ 'posItem--inStock': inStock(@index) }" data-index="@index" data-search="@Safe.Raw(item.Title) @Safe.Raw(item.Description)" data-categories="@(new JArray(item.Categories).ToString())">
+                        var categories = new JArray(item.Categories ?? Array.Empty<string>());
+                        <div class="col posItem" :class="{ 'posItem--inStock': inStock(@index) }" data-index="@index" data-search="@Safe.RawEncode(item.Title + " " + item.Description)"  data-categories="@Safe.Json(categories)">
                             <div class="card h-100 px-0" v-on:click="addToCart(@index)">
                                 @if (!string.IsNullOrWhiteSpace(item.Image))
                                 {
-                                    <img class="card-img-top" src="@item.Image" alt="@Safe.Raw(item.Title)" asp-append-version="true">
+                                    <img class="card-img-top" src="@item.Image" alt="@item.Title" asp-append-version="true">
                                 }
                                 <div class="card-body p-3 d-flex flex-column gap-2">
-                                    <h5 class="card-title m-0">@Safe.Raw(item.Title)</h5>
+                                    <h5 class="card-title m-0">@Safe.RawEncode(item.Title)</h5>
                                     <div class="d-flex gap-2 align-items-center">
                                         @if (item.PriceType == ViewPointOfSaleViewModel.ItemPriceType.Topup || item.Price == 0)
                                         {
@@ -90,14 +92,14 @@
                                     </div>
                                     @if (!string.IsNullOrWhiteSpace(item.Description))
                                     {
-                                        <p class="card-text">@Safe.Raw(item.Description)</p>
+                                        <p class="card-text">@Safe.RawEncode(item.Description)</p>
                                     }
                                 </div>
                                 @if (inStock)
                                 {
                                     <div class="card-footer bg-transparent border-0 pt-0 pb-3">
                                         <button type="button" class="btn btn-primary w-100" :disabled="!inStock(@index)">
-                                            @Safe.Raw(buttonText)
+                                            @Safe.RawEncode(buttonText)
                                         </button>
                                     </div>
                                     <div class="posItem-added"><vc:icon symbol="checkmark" /></div>
diff --git a/BTCPayServer/wwwroot/pos/cart.js b/BTCPayServer/wwwroot/pos/cart.js
index 01fa712f4..ccb1863a2 100644
--- a/BTCPayServer/wwwroot/pos/cart.js
+++ b/BTCPayServer/wwwroot/pos/cart.js
@@ -70,7 +70,7 @@ document.addEventListener("DOMContentLoaded",function () {
             searchTerm(term) {
                 const t = term.toLowerCase();
                 this.forEachItem(item => {
-                    const terms = item.dataset.search.toLowerCase()
+                    const terms = decodeURIComponent(item.dataset.search.toLowerCase());
                     const included = terms.indexOf(t) !== -1
                     item.classList[included ? 'remove' : 'add']("d-none")
                 })