aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 14:04:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix several HTML injections (#4545)

Browse Source
This commit is contained in:
Nicolas Dorier
2023-01-22 03:08:12 +09:00
committed by GitHub
parent 5f24b41250
commit a3203e5775
22 changed files with 59 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
BTCPayServer/Controllers/UIAppsController.cs
View File

@@ -13,6 +13,7 @@ using BTCPayServer.Services.Stores;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Rendering;
namespace BTCPayServer.Controllers
{
@@ -23,11 +24,13 @@ namespace BTCPayServer.Controllers
public UIAppsController(
UserManager<ApplicationUser> userManager,
StoreRepository storeRepository,
AppService appService)
AppService appService,
IHtmlHelper html)
{
_userManager = userManager;
_storeRepository = storeRepository;
_appService = appService;
Html = html;
}
private readonly UserManager<ApplicationUser> _userManager;
@@ -35,6 +38,7 @@ namespace BTCPayServer.Controllers
private readonly AppService _appService;
public string CreatedAppId { get; set; }
public IHtmlHelper Html { get; }
public class AppUpdated
{
@@ -175,7 +179,7 @@ namespace BTCPayServer.Controllers
if (app == null)
return NotFound();
return View("Confirm", new ConfirmModel("Delete app", $"The app <strong>{app.Name}</strong> and its settings will be permanently deleted. Are you sure?", "Delete"));
return View("Confirm", new ConfirmModel("Delete app", $"The app <strong>{Html.Encode(app.Name)}</strong> and its settings will be permanently deleted. Are you sure?", "Delete"));
}
[Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]