From a5bd27661bb198d1ac2325b3cf7d7ee499c37d08 Mon Sep 17 00:00:00 2001
From: "nicolas.dorier" <nicolas.dorier@gmail.com>
Date: Tue, 24 Oct 2017 14:52:19 +0900
Subject: [PATCH] fix xxs vulns

---
 BTCPayServer/Extensions.cs                 | 4 ++--
 BTCPayServer/Views/Invoice/Checkout.cshtml | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/BTCPayServer/Extensions.cs b/BTCPayServer/Extensions.cs
index 06c64fea0..bd8eaa71c 100644
--- a/BTCPayServer/Extensions.cs
+++ b/BTCPayServer/Extensions.cs
@@ -49,10 +49,10 @@ namespace BTCPayServer
 		}
 
 		private static JsonSerializerSettings jsonSettings = new JsonSerializerSettings { ContractResolver = new CamelCasePropertyNamesContractResolver() };
-		public static HtmlString ToJson(this object o)
+		public static string ToJson(this object o)
 		{
 			var res = JsonConvert.SerializeObject(o, Formatting.None, jsonSettings);
-			return new HtmlString(res);
+			return res;
 		}
 	}
 }
diff --git a/BTCPayServer/Views/Invoice/Checkout.cshtml b/BTCPayServer/Views/Invoice/Checkout.cshtml
index bafb037f6..877059d72 100644
--- a/BTCPayServer/Views/Invoice/Checkout.cshtml
+++ b/BTCPayServer/Views/Invoice/Checkout.cshtml
@@ -1,4 +1,5 @@
 @model PaymentModel
+@inject System.Text.Encodings.Web.JavaScriptEncoder jsEncoder;
 @{
 	Layout = null;
 	ViewData["Title"] = "Payment";
@@ -27,7 +28,7 @@
 			crossorigin="anonymous"></script>
 	<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery.qrcode/1.0/jquery.qrcode.min.js"></script>
 	<script type="text/javascript">
-        var srvModel = JSON.parse('@Model.ToJson()');
+		var srvModel = JSON.parse('@jsEncoder.Encode(Model.ToJson())');
 	</script>
 	<script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script>
 	<script src="~/js/core.js" type="text/javascript" defer="defer"></script>