mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2025-02-22 14:22:40 +01:00
Code Issues Projects Releases Packages Wiki Activity

fixes #5203

Browse source
This commit is contained in:
Kukks 2023-07-29 09:13:53 +02:00
parent c88df08350
commit 688e873f7a
No known key found for this signature in database
GPG key ID: 8E5530D9D1C93097
3 changed files with 14 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
BTCPayServer.Abstractions/Services/Safe.cs
View file

@ -1,3 +1,4 @@
using System.Web;
using Ganss.XSS; using Ganss.XSS;
using Microsoft.AspNetCore.Html; using Microsoft.AspNetCore.Html;
using Microsoft.AspNetCore.Mvc.Rendering; using Microsoft.AspNetCore.Mvc.Rendering;
@ -21,6 +22,10 @@ namespace BTCPayServer.Abstractions.Services
{ {
return _htmlHelper.Raw(_htmlSanitizer.Sanitize(value)); return _htmlHelper.Raw(_htmlSanitizer.Sanitize(value));
} }
public IHtmlContent RawEncode(string value)
{
return _htmlHelper.Raw(HttpUtility.HtmlEncode(_htmlSanitizer.Sanitize(value)));
}
public IHtmlContent Json(object model) public IHtmlContent Json(object model)
{ {

14
BTCPayServer/Views/Shared/PointOfSale/Public/Cart.cshtml
View file

@ -1,6 +1,8 @@
@using BTCPayServer.Plugins.PointOfSale.Models @using BTCPayServer.Plugins.PointOfSale.Models
@using BTCPayServer.Services @using BTCPayServer.Services
@using Newtonsoft.Json.Linq; @using Newtonsoft.Json.Linq;
@using BTCPayServer.Abstractions.TagHelpers
@using Microsoft.AspNetCore.Mvc.TagHelpers
@inject DisplayFormatter DisplayFormatter @inject DisplayFormatter DisplayFormatter
@inject BTCPayServer.Security.ContentSecurityPolicies Csp @inject BTCPayServer.Security.ContentSecurityPolicies Csp
@model BTCPayServer.Plugins.PointOfSale.Models.ViewPointOfSaleViewModel @model BTCPayServer.Plugins.PointOfSale.Models.ViewPointOfSaleViewModel
@ -63,15 +65,15 @@
? item.PriceType == ViewPointOfSaleViewModel.ItemPriceType.Topup ? Model.CustomButtonText : Model.ButtonText ? item.PriceType == ViewPointOfSaleViewModel.ItemPriceType.Topup ? Model.CustomButtonText : Model.ButtonText
: item.BuyButtonText; : item.BuyButtonText;
buttonText = buttonText.Replace("{0}", formatted).Replace("{Price}", formatted); buttonText = buttonText.Replace("{0}", formatted).Replace("{Price}", formatted);
var categories = new JArray(item.Categories ?? Array.Empty<string>());
<div class="col posItem" :class="{ 'posItem--inStock': inStock(@index) }" data-index="@index" data-search="@Safe.Raw(item.Title) @Safe.Raw(item.Description)" data-categories="@(new JArray(item.Categories).ToString())"> <div class="col posItem" :class="{ 'posItem--inStock': inStock(@index) }" data-index="@index" data-search="@Safe.RawEncode(item.Title + " " + item.Description)" data-categories="@Safe.Json(categories)">
<div class="card h-100 px-0" v-on:click="addToCart(@index)"> <div class="card h-100 px-0" v-on:click="addToCart(@index)">
@if (!string.IsNullOrWhiteSpace(item.Image)) @if (!string.IsNullOrWhiteSpace(item.Image))
{ {
<img class="card-img-top" src="@item.Image" alt="@Safe.Raw(item.Title)" asp-append-version="true"> <img class="card-img-top" src="@item.Image" alt="@item.Title" asp-append-version="true">
} }
<div class="card-body p-3 d-flex flex-column gap-2"> <div class="card-body p-3 d-flex flex-column gap-2">
<h5 class="card-title m-0">@Safe.Raw(item.Title)</h5> <h5 class="card-title m-0">@Safe.RawEncode(item.Title)</h5>
<div class="d-flex gap-2 align-items-center"> <div class="d-flex gap-2 align-items-center">
@if (item.PriceType == ViewPointOfSaleViewModel.ItemPriceType.Topup || item.Price == 0) @if (item.PriceType == ViewPointOfSaleViewModel.ItemPriceType.Topup || item.Price == 0)
{ {
@ -90,14 +92,14 @@
</div> </div>
@if (!string.IsNullOrWhiteSpace(item.Description)) @if (!string.IsNullOrWhiteSpace(item.Description))
{ {
<p class="card-text">@Safe.Raw(item.Description)</p> <p class="card-text">@Safe.RawEncode(item.Description)</p>
} }
</div> </div>
@if (inStock) @if (inStock)
{ {
<div class="card-footer bg-transparent border-0 pt-0 pb-3"> <div class="card-footer bg-transparent border-0 pt-0 pb-3">
<button type="button" class="btn btn-primary w-100" :disabled="!inStock(@index)"> <button type="button" class="btn btn-primary w-100" :disabled="!inStock(@index)">
@Safe.Raw(buttonText) @Safe.RawEncode(buttonText)
</button> </button>
</div> </div>
<div class="posItem-added"><vc:icon symbol="checkmark" /></div> <div class="posItem-added"><vc:icon symbol="checkmark" /></div>

2
BTCPayServer/wwwroot/pos/cart.js
View file

@ -70,7 +70,7 @@ document.addEventListener("DOMContentLoaded",function () {
searchTerm(term) { searchTerm(term) {
const t = term.toLowerCase(); const t = term.toLowerCase();
this.forEachItem(item => { this.forEachItem(item => {
const terms = item.dataset.search.toLowerCase() const terms = decodeURIComponent(item.dataset.search.toLowerCase());
const included = terms.indexOf(t) !== -1 const included = terms.indexOf(t) !== -1
item.classList[included ? 'remove' : 'add']("d-none") item.classList[included ? 'remove' : 'add']("d-none")
}) })