From ddb125f45892b4dafdbd5c072af1ce623758bb92 Mon Sep 17 00:00:00 2001
From: Nicolas Dorier <nicolas.dorier@gmail.com>
Date: Thu, 23 Feb 2023 00:35:34 +0900
Subject: [PATCH] Fix: HTML injection in payment request/posData/receiptData
 (Close #4678) (#4679)

Co-authored-by: Dennis Reimann <mail@dennisreimann.de>
---
 .../BitcoinLikeMethodCheckoutNoScript.cshtml  |  2 +-
 .../Bitcoin/ViewBitcoinLikePaymentData.cshtml |  8 ++-
 BTCPayServer/Views/Shared/PosData.cshtml      | 28 +++++----
 BTCPayServer/Views/UIInvoice/PosData.cshtml   | 60 -------------------
 .../Views/UILNURL/EditLightningAddress.cshtml |  8 +--
 5 files changed, 28 insertions(+), 78 deletions(-)
 delete mode 100644 BTCPayServer/Views/UIInvoice/PosData.cshtml

diff --git a/BTCPayServer/Views/Shared/Bitcoin/BitcoinLikeMethodCheckoutNoScript.cshtml b/BTCPayServer/Views/Shared/Bitcoin/BitcoinLikeMethodCheckoutNoScript.cshtml
index a374d5cd36..abea189805 100644
--- a/BTCPayServer/Views/Shared/Bitcoin/BitcoinLikeMethodCheckoutNoScript.cshtml
+++ b/BTCPayServer/Views/Shared/Bitcoin/BitcoinLikeMethodCheckoutNoScript.cshtml
@@ -1,6 +1,6 @@
 @model PaymentModel
 <div>
-    <p>To complete payment, please send <b>@Safe.Raw(Model.IsUnsetTopUp? "any amount of": Model.BtcDue) @Model.CryptoCode</b> to <b style="word-break: break-word;">@Model.BtcAddress</b></p>
+    <p>To complete payment, please send <b>@(Model.IsUnsetTopUp ? "any amount of" : Model.BtcDue) @Model.CryptoCode</b> to <b style="word-break: break-word;">@Model.BtcAddress</b></p>
     <p>Time remaining: @Model.TimeLeft</p>
     <p>
         <a href="@Model.InvoiceBitcoinUrl" style="word-break: break-word;" rel="noreferrer noopener">@Model.InvoiceBitcoinUrl</a>
diff --git a/BTCPayServer/Views/Shared/Bitcoin/ViewBitcoinLikePaymentData.cshtml b/BTCPayServer/Views/Shared/Bitcoin/ViewBitcoinLikePaymentData.cshtml
index 59b1a7b865..3a7f2ff6d7 100644
--- a/BTCPayServer/Views/Shared/Bitcoin/ViewBitcoinLikePaymentData.cshtml
+++ b/BTCPayServer/Views/Shared/Bitcoin/ViewBitcoinLikePaymentData.cshtml
@@ -77,7 +77,13 @@
                     <td>@payment.Crypto</td>
                     <td>@(payment.CryptoPaymentData.KeyPath?.ToString()?? "Unknown")</td>
                     <td style="max-width:300px;" data-bs-toggle="tooltip" class="text-truncate" title="@payment.DepositAddress">@payment.DepositAddress</td>
-                    <td class="payment-value">@payment.CryptoPaymentData.GetValue() @Safe.Raw(payment.AdditionalInformation is string i ? $"<br/>({i})" : string.Empty)</td>
+                    <td class="payment-value">
+                        @payment.CryptoPaymentData.GetValue()
+                        @if (!string.IsNullOrEmpty(payment.AdditionalInformation))
+                        {
+                            <div>(@payment.AdditionalInformation)</div>
+                        }
+                    </td>
                     @if (hasNetworkFee)
                     {
                         <td>@payment.NetworkFee</td>
diff --git a/BTCPayServer/Views/Shared/PosData.cshtml b/BTCPayServer/Views/Shared/PosData.cshtml
index 14c84f3bff..b57385823e 100644
--- a/BTCPayServer/Views/Shared/PosData.cshtml
+++ b/BTCPayServer/Views/Shared/PosData.cshtml
@@ -16,16 +16,16 @@
             {
                 if (!string.IsNullOrEmpty(key))
                 {
-                    <th class="w-150px">@Safe.Raw(key)</th>
+                    <th class="w-150px">@key</th>
                 }
                 <td>
                     @if (IsValidURL(str))
                     {
-                        <a href="@Safe.Raw(str)" target="_blank" rel="noreferrer noopener">@Safe.Raw(str)</a>
+                        <a href="@str" target="_blank" rel="noreferrer noopener">@str</a>
                     }
                     else
                     {
-                        @Safe.Raw(value?.ToString())
+                        @value?.ToString()
                     }
                 </td>
             }
@@ -34,22 +34,26 @@
                 @* This is the array case *@
                 if (subItems.Count == 1 && subItems.First().Value is string str2)
                 {
-                    <th class="w-150px">@Safe.Raw(key)</th>
+                    <th class="w-150px">@key</th>
                     <td>
                         @if (IsValidURL(str2))
                         {
-                            <a href="@Safe.Raw(str2)" target="_blank" rel="noreferrer noopener">@Safe.Raw(str2)</a>
+                            <a href="@str2" target="_blank" rel="noreferrer noopener">@str2</a>
                         }
                         else
                         {
-                            @Safe.Raw(subItems.First().Value?.ToString())
+                            @subItems.First().Value?.ToString()
                         }
-                    </td>
-                }
-                else
-                {
-                    <td colspan="2" >
-                        @Safe.Raw($"<h{Model.Level + 3} class=\"mt-4 mb-3\">{key}</h{Model.Level + 3}>")
+					</td>
+				}
+				else
+				{
+					<td colspan="2" >
+						@{
+							Write(Html.Raw($"<h{Model.Level + 3} class=\"mt-4 mb-3\">"));
+							Write(key);
+							Write(Html.Raw($"</h{Model.Level + 3}>"));
+						}
                         <partial name="PosData" model="(subItems, Model.Level + 1)"/>
                     </td>
                 }
diff --git a/BTCPayServer/Views/UIInvoice/PosData.cshtml b/BTCPayServer/Views/UIInvoice/PosData.cshtml
deleted file mode 100644
index 14c84f3bff..0000000000
--- a/BTCPayServer/Views/UIInvoice/PosData.cshtml
+++ /dev/null
@@ -1,60 +0,0 @@
-@model (Dictionary<string, object> Items, int Level)
-
-@functions {
-    private bool IsValidURL(string source)
-    {
-        return Uri.TryCreate(source, UriKind.Absolute, out var uriResult) && 
-            (uriResult.Scheme == Uri.UriSchemeHttp || uriResult.Scheme == Uri.UriSchemeHttps);
-    }
-}
-
-<table class="table my-0">
-    @foreach (var (key, value) in Model.Items)
-    {
-        <tr>
-            @if (value is string str)
-            {
-                if (!string.IsNullOrEmpty(key))
-                {
-                    <th class="w-150px">@Safe.Raw(key)</th>
-                }
-                <td>
-                    @if (IsValidURL(str))
-                    {
-                        <a href="@Safe.Raw(str)" target="_blank" rel="noreferrer noopener">@Safe.Raw(str)</a>
-                    }
-                    else
-                    {
-                        @Safe.Raw(value?.ToString())
-                    }
-                </td>
-            }
-            else if (value is Dictionary<string, object>subItems)
-            {
-                @* This is the array case *@
-                if (subItems.Count == 1 && subItems.First().Value is string str2)
-                {
-                    <th class="w-150px">@Safe.Raw(key)</th>
-                    <td>
-                        @if (IsValidURL(str2))
-                        {
-                            <a href="@Safe.Raw(str2)" target="_blank" rel="noreferrer noopener">@Safe.Raw(str2)</a>
-                        }
-                        else
-                        {
-                            @Safe.Raw(subItems.First().Value?.ToString())
-                        }
-                    </td>
-                }
-                else
-                {
-                    <td colspan="2" >
-                        @Safe.Raw($"<h{Model.Level + 3} class=\"mt-4 mb-3\">{key}</h{Model.Level + 3}>")
-                        <partial name="PosData" model="(subItems, Model.Level + 1)"/>
-                    </td>
-                }
-            }
-        </tr>
-    }
-</table>
-
diff --git a/BTCPayServer/Views/UILNURL/EditLightningAddress.cshtml b/BTCPayServer/Views/UILNURL/EditLightningAddress.cshtml
index daa0d5b874..4070dfa746 100644
--- a/BTCPayServer/Views/UILNURL/EditLightningAddress.cshtml
+++ b/BTCPayServer/Views/UILNURL/EditLightningAddress.cshtml
@@ -69,7 +69,7 @@
                 <div class="col-12 col-sm-auto">
                     <div class="form-group">
                         <label asp-for="Add.CurrencyCode" class="form-label"></label>
-                        <input asp-for="Add.CurrencyCode" class="form-control" style="max-width:16ch;"/>
+                        <input asp-for="Add.CurrencyCode" class="form-control w-auto" currency-selection style="max-width:16ch;"/>
                         <span asp-validation-for="Add.CurrencyCode" class="text-danger"></span>
                     </div>
                 </div>
@@ -126,15 +126,15 @@
                             <td class="settings-holder align-middle">
                                 @if (Model.Items[index].Min.HasValue)
                                 {
-                                    <span>@Safe.Raw($"{Model.Items[index].Min} min sats")</span>
+                                    <span>@Model.Items[index].Min min sats</span>
                                 }
                                 @if (Model.Items[index].Max.HasValue)
                                 {
-                                    <span> @Safe.Raw($"{Model.Items[index].Max} max sats")</span>
+                                    <span>@Model.Items[index].Max max sats</span>
                                 }
                                 @if (!string.IsNullOrEmpty(Model.Items[index].CurrencyCode))
                                 {
-                                    <span> @Safe.Raw($"tracked in {Model.Items[index].CurrencyCode}")</span>
+                                    <span>tracked in @Model.Items[index].CurrencyCode</span>
                                 }
                             </td>
                             <td class="text-end">