Skip to content

Commit

Permalink
Fix interactive XSS when entering javascript: in store's website.
Browse files Browse the repository at this point in the history
  • Loading branch information
@NicolasDorier
NicolasDorier committed Sep 10, 2021
1 parent c4f4c31 commit 7f40698
Show file tree
Hide file tree
Showing 6 changed files with 8 additions and 7 deletions.
3 changes: 2 additions & 1 deletion BTCPayServer/TagHelpers.cs
View file
Expand Up @@ -86,6 +86,7 @@ public CSPEventTagHelper(ContentSecurityPolicies csp)
}
public override void Process(TagHelperContext context, TagHelperOutput output)
{
bool cspAllow = output.Attributes.RemoveAll("csp-allow");
foreach (var attr in output.Attributes)
{
var n = attr.Name.ToLowerInvariant();
Expand All @@ -96,7 +97,7 @@ public override void Process(TagHelperContext context, TagHelperOutput output)
else if (n == "href")
{
var v = attr.Value.ToString();
if (v.StartsWith("javascript:", StringComparison.OrdinalIgnoreCase))
if (v.StartsWith("javascript:", StringComparison.OrdinalIgnoreCase) && cspAllow)
{
Allow(v);
}
Expand Down
2 changes: 1 addition & 1 deletion BTCPayServer/Views/Account/LoginWithFido2.cshtml
View file
Expand Up @@ -18,7 +18,7 @@
<p>Insert your security key into your computer's USB port. If it has a button, tap on it.</p>
</div>
<p id="error-message" class="d-none alert alert-danger"></p>
<a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()">Retry</a>
<a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()" csp-allow>Retry</a>
</div>
</div>
</div>
Expand Down
2 changes: 1 addition & 1 deletion BTCPayServer/Views/Fido2/Create.cshtml
View file
Expand Up @@ -13,7 +13,7 @@
<p>Insert your security key into your computer's USB port. If it has a button, tap on it.</p>
</div>
<p id="error-message" class="d-none alert alert-danger"></p>
<a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()">Retry</a>
<a id="btn-retry" class="btn btn-secondary d-none" href="javascript:window.location.reload()" csp-allow>Retry</a>
</div>
</div>

Expand Down
4 changes: 2 additions & 2 deletions BTCPayServer/Views/Invoice/ListInvoices.cshtml
View file
Expand Up @@ -333,7 +333,7 @@
</th>
<th style="min-width:90px;" class="col-md-auto">
Date
<a href="javascript:switchTimeFormat()">
<a href="javascript:switchTimeFormat()" csp-allow>
<span class="fa fa-clock-o" title="Switch date format"></span>
</a>
</th>
Expand Down Expand Up @@ -411,7 +411,7 @@
{
<span>
<a asp-action="Checkout" class="invoice-checkout-link" id="invoice-checkout-@invoice.InvoiceId" asp-route-invoiceId="@invoice.InvoiceId">Checkout</a>
<a href="javascript:btcpay.showInvoice('@invoice.InvoiceId')">[^]</a>
<a href="javascript:btcpay.showInvoice('@invoice.InvoiceId')" csp-allow>[^]</a>
@if (!invoice.CanMarkStatus)
{
<span>-</span>
Expand Down
2 changes: 1 addition & 1 deletion BTCPayServer/Views/Notifications/Index.cshtml
View file
Expand Up @@ -44,7 +44,7 @@
</th>
<th width="190px">
Date
<a href="javascript:switchTimeFormat()">
<a href="javascript:switchTimeFormat()" csp-allow>
<span class="fa fa-clock-o" title="Switch date format"></span>
</a>
</th>
Expand Down
2 changes: 1 addition & 1 deletion BTCPayServer/Views/Wallets/WalletTransactions.cshtml
View file
Expand Up @@ -89,7 +89,7 @@
<tr>
<th style="min-width: 90px;" class="col-md-auto">
Date
<a href="javascript:switchTimeFormat()">
<a href="javascript:switchTimeFormat()" csp-allow>
<span class="fa fa-clock-o" title="Switch date format"></span>
</a>
</th>
Expand Down

0 comments on commit 7f40698

Please sign in to comment.