mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2024-11-20 02:28:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix interactive XSS when entering javascript: in store's website.

Browse Source
This commit is contained in:
nicolas.dorier 2021-09-10 10:56:48 +09:00
parent c4f4c3138c
commit 7f40698bba
No known key found for this signature in database
GPG Key ID: 6618763EF09186FE
6 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
BTCPayServer/TagHelpers.cs
View File

@ -86,6 +86,7 @@ namespace BTCPayServer.TagHelpers
} }
public override void Process(TagHelperContext context, TagHelperOutput output) public override void Process(TagHelperContext context, TagHelperOutput output)
{ {
bool cspAllow = output.Attributes.RemoveAll("csp-allow");
foreach (var attr in output.Attributes) foreach (var attr in output.Attributes)
{ {
var n = attr.Name.ToLowerInvariant(); var n = attr.Name.ToLowerInvariant();
@ -96,7 +97,7 @@ namespace BTCPayServer.TagHelpers
else if (n == "href") else if (n == "href")
{ {
var v = attr.Value.ToString(); var v = attr.Value.ToString();
if (v.StartsWith("javascript:", StringComparison.OrdinalIgnoreCase)) if (v.StartsWith("javascript:", StringComparison.OrdinalIgnoreCase) && cspAllow)
{ {
Allow(v); Allow(v);
} }

2
BTCPayServer/Views/Account/LoginWithFido2.cshtml
View File

@ -18,7 +18,7 @@
<p>Insert your security key into your computer's USB port. If it has a button, tap on it.</p> <p>Insert your security key into your computer's USB port. If it has a button, tap on it.</p>
</div> </div>
<p id="error-message" class="d-none alert alert-danger"></p> <p id="error-message" class="d-none alert alert-danger"></p>
<a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()">Retry</a> <a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()" csp-allow>Retry</a>
</div> </div>
</div> </div>
</div> </div>

2
BTCPayServer/Views/Fido2/Create.cshtml
View File

@ -13,7 +13,7 @@
<p>Insert your security key into your computer's USB port. If it has a button, tap on it.</p> <p>Insert your security key into your computer's USB port. If it has a button, tap on it.</p>
</div> </div>
<p id="error-message" class="d-none alert alert-danger"></p> <p id="error-message" class="d-none alert alert-danger"></p>
<a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()">Retry</a> <a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()" csp-allow>Retry</a>
</div> </div>
</div> </div>

4
BTCPayServer/Views/Invoice/ListInvoices.cshtml
View File

@ -333,7 +333,7 @@
</th> </th>
<th style="min-width:90px;" class="col-md-auto"> <th style="min-width:90px;" class="col-md-auto">
Date Date
<a href="javascript:switchTimeFormat()"> <a href="javascript:switchTimeFormat()" csp-allow>
<span class="fa fa-clock-o" title="Switch date format"></span> <span class="fa fa-clock-o" title="Switch date format"></span>
</a> </a>
</th> </th>
@ -411,7 +411,7 @@
{ {
<span> <span>
<a asp-action="Checkout" class="invoice-checkout-link" id="invoice-checkout-@invoice.InvoiceId" asp-route-invoiceId="@invoice.InvoiceId">Checkout</a> <a asp-action="Checkout" class="invoice-checkout-link" id="invoice-checkout-@invoice.InvoiceId" asp-route-invoiceId="@invoice.InvoiceId">Checkout</a>
<a href="javascript:btcpay.showInvoice('@invoice.InvoiceId')">[^]</a> <a href="javascript:btcpay.showInvoice('@invoice.InvoiceId')" csp-allow>[^]</a>
@if (!invoice.CanMarkStatus) @if (!invoice.CanMarkStatus)
{ {
<span>-</span> <span>-</span>

2
BTCPayServer/Views/Notifications/Index.cshtml
View File

@ -44,7 +44,7 @@
</th> </th>
<th width="190px"> <th width="190px">
Date Date
<a href="javascript:switchTimeFormat()"> <a href="javascript:switchTimeFormat()" csp-allow>
<span class="fa fa-clock-o" title="Switch date format"></span> <span class="fa fa-clock-o" title="Switch date format"></span>
</a> </a>
</th> </th>

2
BTCPayServer/Views/Wallets/WalletTransactions.cshtml
View File

@ -89,7 +89,7 @@
<tr> <tr>
<th style="min-width: 90px;" class="col-md-auto"> <th style="min-width: 90px;" class="col-md-auto">
Date Date
<a href="javascript:switchTimeFormat()"> <a href="javascript:switchTimeFormat()" csp-allow>
<span class="fa fa-clock-o" title="Switch date format"></span> <span class="fa fa-clock-o" title="Switch date format"></span>
</a> </a>
</th> </th>