diff --git a/BTCPayServer.Abstractions/Security/ContentSecurityPolicies.cs b/BTCPayServer.Abstractions/Security/ContentSecurityPolicies.cs index 27edb825b..3f56bad90 100644 --- a/BTCPayServer.Abstractions/Security/ContentSecurityPolicies.cs +++ b/BTCPayServer.Abstractions/Security/ContentSecurityPolicies.cs @@ -114,6 +114,11 @@ namespace BTCPayServer.Security _Policies.Add(policy); } + public void UnsafeEval() + { + Add("script-src", "'unsafe-eval'"); + } + public IEnumerable Rules => _Policies; public bool HasRules => _Policies.Count != 0; diff --git a/BTCPayServer/Filters/ContentSecurityPolicyAttribute.cs b/BTCPayServer/Filters/ContentSecurityPolicyAttribute.cs index b2973b003..f0ec77eb1 100644 --- a/BTCPayServer/Filters/ContentSecurityPolicyAttribute.cs +++ b/BTCPayServer/Filters/ContentSecurityPolicyAttribute.cs @@ -24,7 +24,7 @@ namespace BTCPayServer.Filters AutoSelf = false; FixWebsocket = false; UnsafeInline = false; - ScriptSrc = "'self' 'unsafe-eval'"; // unsafe-eval needed for vue + ScriptSrc = "'self'"; } } diff --git a/BTCPayServer/Views/Shared/Crowdfund/Public/ViewCrowdfund.cshtml b/BTCPayServer/Views/Shared/Crowdfund/Public/ViewCrowdfund.cshtml index 981fcabe3..5f3b3dd05 100644 --- a/BTCPayServer/Views/Shared/Crowdfund/Public/ViewCrowdfund.cshtml +++ b/BTCPayServer/Views/Shared/Crowdfund/Public/ViewCrowdfund.cshtml @@ -3,13 +3,14 @@ @inject BTCPayServer.Services.BTCPayServerEnvironment Env @inject BTCPayServer.Security.ContentSecurityPolicies Csp @{ - ViewData["Title"] = Model.Title; - Layout = null; - if (!string.IsNullOrEmpty(Model.DisqusShortname)) - { - Csp.Add("script-src", $"https://{Model.DisqusShortname}.disqus.com"); - Csp.Add("script-src", "https://c.disquscdn.com"); - } + ViewData["Title"] = Model.Title; + Layout = null; + Csp.UnsafeEval(); + if (!string.IsNullOrEmpty(Model.DisqusShortname)) + { + Csp.Add("script-src", $"https://{Model.DisqusShortname}.disqus.com"); + Csp.Add("script-src", "https://c.disquscdn.com"); + } } @@ -55,13 +56,13 @@
@if (!string.IsNullOrEmpty(Model.MainImageUrl)) { - @Model.Title + }
-

@Model.Title

+

{{ srvModel.title }}

@if (!string.IsNullOrEmpty(Model.Tagline)) { -

@Model.Tagline

+

} @if (Model.TargetAmount.HasValue) { @@ -221,7 +222,6 @@
- @Safe.Raw(Model.Description)
@@ -231,7 +231,6 @@
@@ -246,7 +245,7 @@
-