mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2024-11-19 18:11:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix interactive XSS when entering javascript: in store's website.

Browse Source
This commit is contained in:
nicolas.dorier 2021-09-10 10:56:48 +09:00
parent c4f4c3138c
commit 7f40698bba
No known key found for this signature in database
GPG Key ID: 6618763EF09186FE
6 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
BTCPayServer/TagHelpers.cs
View File

@ -86,6 +86,7 @@ namespace BTCPayServer.TagHelpers
}
public override void Process(TagHelperContext context, TagHelperOutput output)
{
bool cspAllow = output.Attributes.RemoveAll("csp-allow");
foreach (var attr in output.Attributes)
{
var n = attr.Name.ToLowerInvariant();
@ -96,7 +97,7 @@ namespace BTCPayServer.TagHelpers
else if (n == "href")
{
var v = attr.Value.ToString();
if (v.StartsWith("javascript:", StringComparison.OrdinalIgnoreCase))
if (v.StartsWith("javascript:", StringComparison.OrdinalIgnoreCase) && cspAllow)
{
Allow(v);
}

2
BTCPayServer/Views/Account/LoginWithFido2.cshtml
View File

@ -18,7 +18,7 @@
<p>Insert your security key into your computer's USB port. If it has a button, tap on it.</p>
</div>
<p id="error-message" class="d-none alert alert-danger"></p>
<a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()">Retry</a>
<a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()" csp-allow>Retry</a>
</div>
</div>
</div>

2
BTCPayServer/Views/Fido2/Create.cshtml
View File

@ -13,7 +13,7 @@
<p>Insert your security key into your computer's USB port. If it has a button, tap on it.</p>
</div>
<p id="error-message" class="d-none alert alert-danger"></p>
<a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()">Retry</a>
<a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()" csp-allow>Retry</a>
</div>
</div>

4
BTCPayServer/Views/Invoice/ListInvoices.cshtml
View File

@ -333,7 +333,7 @@
</th>
<th style="min-width:90px;" class="col-md-auto">
Date
<a href="javascript:switchTimeFormat()">
<a href="javascript:switchTimeFormat()" csp-allow>
<span class="fa fa-clock-o" title="Switch date format"></span>
</a>
</th>
@ -411,7 +411,7 @@
{
<span>
<a asp-action="Checkout" class="invoice-checkout-link" id="invoice-checkout-@invoice.InvoiceId" asp-route-invoiceId="@invoice.InvoiceId">Checkout</a>
<a href="javascript:btcpay.showInvoice('@invoice.InvoiceId')">[^]</a>
<a href="javascript:btcpay.showInvoice('@invoice.InvoiceId')" csp-allow>[^]</a>
@if (!invoice.CanMarkStatus)
{
<span>-</span>

2
BTCPayServer/Views/Notifications/Index.cshtml
View File

@ -44,7 +44,7 @@
</th>
<th width="190px">
Date
<a href="javascript:switchTimeFormat()">
<a href="javascript:switchTimeFormat()" csp-allow>
<span class="fa fa-clock-o" title="Switch date format"></span>
</a>
</th>

2
BTCPayServer/Views/Wallets/WalletTransactions.cshtml
View File

@ -89,7 +89,7 @@
<tr>
<th style="min-width: 90px;" class="col-md-auto">
Date
<a href="javascript:switchTimeFormat()">
<a href="javascript:switchTimeFormat()" csp-allow>
<span class="fa fa-clock-o" title="Switch date format"></span>
</a>
</th>