aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 14:04:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix several HTML injections (#4545)

Browse Source
This commit is contained in:
Nicolas Dorier
2023-01-22 03:08:12 +09:00
committed by GitHub
parent 5f24b41250
commit a3203e5775
22 changed files with 59 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
BTCPayServer/Controllers/UIStoresController.cs
View File

@@ -65,7 +65,8 @@ namespace BTCPayServer.Controllers
WebhookSender webhookNotificationManager,
IDataProtectionProvider dataProtector,
IOptions<LightningNetworkOptions> lightningNetworkOptions,
IOptions<ExternalServicesOptions> externalServiceOptions)
IOptions<ExternalServicesOptions> externalServiceOptions,
IHtmlHelper html)
{
_RateFactory = rateFactory;
_Repo = repo;
@@ -89,6 +90,7 @@ namespace BTCPayServer.Controllers
_BtcpayServerOptions = btcpayServerOptions;
_BTCPayEnv = btcpayEnv;
_externalServiceOptions = externalServiceOptions;
Html = html;
}
readonly BTCPayServerOptions _BtcpayServerOptions;
@@ -113,6 +115,7 @@ namespace BTCPayServer.Controllers
public string? GeneratedPairingCode { get; set; }
public WebhookSender WebhookNotificationManager { get; }
public IHtmlHelper Html { get; }
public LightningNetworkOptions LightningNetworkOptions { get; }
public IDataProtector DataProtector { get; }
@@ -180,7 +183,7 @@ namespace BTCPayServer.Controllers
var user = await _UserManager.FindByIdAsync(userId);
if (user == null)
return NotFound();
return View("Confirm", new ConfirmModel("Remove store user", $"This action will prevent <strong>{user.Email}</strong> from accessing this store and its settings. Are you sure?", "Remove"));
return View("Confirm", new ConfirmModel("Remove store user", $"This action will prevent <strong>{Html.Encode(user.Email)}</strong> from accessing this store and its settings. Are you sure?", "Remove"));
}
[HttpPost("{storeId}/users/{userId}/delete")]
@@ -776,7 +779,7 @@ namespace BTCPayServer.Controllers
var token = await _TokenRepository.GetToken(tokenId);
if (token == null || token.StoreId != CurrentStore.Id)
return NotFound();
return View("Confirm", new ConfirmModel("Revoke the token", $"The access token with the label <strong>{token.Label}</strong> will be revoked. Do you wish to continue?", "Revoke"));
return View("Confirm", new ConfirmModel("Revoke the token", $"The access token with the label <strong>{Html.Encode(token.Label)}</strong> will be revoked. Do you wish to continue?", "Revoke"));
}
[HttpPost("{storeId}/tokens/{tokenId}/revoke")]