Fix: HTML injection in payment request/posData/receiptData (Close #4678) (#4679)

Co-authored-by: Dennis Reimann <mail@dennisreimann.de>
2026-01-24 16:34:35 +01:00 · 2023-02-23 00:35:34 +09:00
parent e6a157a101
commit ddb125f458
5 changed files with 28 additions and 78 deletions
--- a/BTCPayServer/Views/Shared/Bitcoin/BitcoinLikeMethodCheckoutNoScript.cshtml
+++ b/BTCPayServer/Views/Shared/Bitcoin/BitcoinLikeMethodCheckoutNoScript.cshtml
@@ -1,6 +1,6 @@
@model PaymentModel
 <div>
-    <p>To complete payment, please send <b>@Safe.Raw(Model.IsUnsetTopUp? "any amount of": Model.BtcDue) @Model.CryptoCode</b> to <b style="word-break: break-word;">@Model.BtcAddress</b></p>
+    <p>To complete payment, please send <b>@(Model.IsUnsetTopUp ? "any amount of" : Model.BtcDue) @Model.CryptoCode</b> to <b style="word-break: break-word;">@Model.BtcAddress</b></p>
    <p>Time remaining: @Model.TimeLeft</p>
    <p>
        <a href="@Model.InvoiceBitcoinUrl" style="word-break: break-word;" rel="noreferrer noopener">@Model.InvoiceBitcoinUrl</a>