From 880635d6157da2bb11cc5c191b38b2e9dd3e78b3 Mon Sep 17 00:00:00 2001
From: Umar Bolatov <bolatovumar@gmail.com>
Date: Thu, 6 Oct 2022 01:43:18 -0700
Subject: [PATCH] Make sure string is valid URL before rendering it as such in
 invoice details POS data section (#4197)

---
 BTCPayServer/Views/UIInvoice/PosData.cshtml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/BTCPayServer/Views/UIInvoice/PosData.cshtml b/BTCPayServer/Views/UIInvoice/PosData.cshtml
index c30de63d6..807a85b99 100644
--- a/BTCPayServer/Views/UIInvoice/PosData.cshtml
+++ b/BTCPayServer/Views/UIInvoice/PosData.cshtml
@@ -1,6 +1,15 @@
 @model (Dictionary<string, object> Items, int Level)
 
-<table class="table table-hover my-0">
+@functions{
+    public bool IsValidURL(string source)
+    {
+        Uri uriResult;
+        return Uri.TryCreate(source, UriKind.Absolute, out uriResult) && 
+            (uriResult.Scheme == Uri.UriSchemeHttp || uriResult.Scheme == Uri.UriSchemeHttps);
+    }
+}
+
+<table class="table my-0">
     @foreach (var (key, value) in Model.Items)
     {
         <tr>
@@ -11,7 +20,7 @@
                     <th class="w-150px">@Safe.Raw(key)</th>
                 }
                 <td>
-                    @if (Uri.IsWellFormedUriString(str, UriKind.RelativeOrAbsolute))
+                    @if (IsValidURL(str))
                     {
                         <a href="@Safe.Raw(str)" target="_blank" rel="noreferrer noopener">@Safe.Raw(str)</a>
                     }
@@ -28,7 +37,7 @@
                 {
                     <th class="w-150px">@Safe.Raw(key)</th>
                     <td>
-                        @if (Uri.IsWellFormedUriString(str2, UriKind.RelativeOrAbsolute))
+                        @if (IsValidURL(str2))
                         {
                             <a href="@Safe.Raw(str2)" target="_blank" rel="noreferrer noopener">@Safe.Raw(str2)</a>
                         }