mirror of
https://github.com/aljazceru/btcpayserver.git
synced 2025-12-18 22:44:29 +01:00
2e6246e385
* Move TagHelpers to Abstractions Makes them available for use in plugins. Also cleans up the tag helper references in the view code: As we have it in the root view imports, the individual directives in the views are superfluous. * Move CurrenciesSuggestionsTagHelper back To get rid of the Rating dependency in Abstractions.
34 lines
1.0 KiB
C#
34 lines
1.0 KiB
C#
using BTCPayServer.Security;
|
|
using Microsoft.AspNetCore.Razor.TagHelpers;
|
|
using NBitcoin;
|
|
|
|
namespace BTCPayServer.Abstractions.TagHelpers;
|
|
|
|
/// <summary>
|
|
/// Add a nonce-* so the inline-script can pass CSP rule when they are rendered server-side
|
|
/// </summary>
|
|
[HtmlTargetElement("script")]
|
|
public class CSPInlineScriptTagHelper : TagHelper
|
|
{
|
|
private readonly ContentSecurityPolicies _csp;
|
|
|
|
public CSPInlineScriptTagHelper(ContentSecurityPolicies csp)
|
|
{
|
|
_csp = csp;
|
|
}
|
|
|
|
public override void Process(TagHelperContext context, TagHelperOutput output)
|
|
{
|
|
if (output.Attributes.ContainsName("src"))
|
|
return;
|
|
if (output.Attributes.TryGetAttribute("type", out var attr))
|
|
{
|
|
if (attr.Value?.ToString() != "text/javascript")
|
|
return;
|
|
}
|
|
var nonce = RandomUtils.GetUInt256().ToString().Substring(0, 32);
|
|
output.Attributes.Add(new TagHelperAttribute("nonce", nonce));
|
|
_csp.Add("script-src", $"'nonce-{nonce}'");
|
|
}
|
|
}
|