Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP: Remove unsafe-eval when vue isn't used #4747

Merged
merged 2 commits into from Mar 8, 2023
Merged

CSP: Remove unsafe-eval when vue isn't used #4747

merged 2 commits into from Mar 8, 2023

Conversation

NicolasDorier
Copy link
Member

@NicolasDorier NicolasDorier commented Mar 8, 2023
edited

Fixing XSS through vue.

We should NEVER do something like this:

<blah v-blah2="{{ blah3 }}">@blah4</blah>

The fact that v- is present means that VueJs will parse the block (and all his descendants).
If @blah4 is {{ alert("lol") }}, then the JS will be injected, as vue require CSP unsafe-eval...

Short story: If you use VueJS, DO NOT mix it with Razor templates. If you do, you need to be extra careful about whether or not the data come from user and is properly validated.

If you want to make VueJs ignore blocks, you need to use v-pre on the element. This is needed when you are using some partial pages which may be included in a page with vue.

Credit to @cupc4k3
https://huntr.dev/bounties/ad1f917f-2b25-40ef-9215-c805354c683b/

Note that this PR also remove unsafe-eval to where I think vue isn't used.
It may break things but tests are fine.

@NicolasDorier NicolasDorier merged commit 7b5ce8f into btcpayserver:master Mar 8, 2023
@NicolasDorier NicolasDorier deleted the qiontwq branch March 8, 2023 08:57
dennisreimann added a commit to dennisreimann/btcpayserver that referenced this pull request Mar 15, 2023
@dennisreimann
Dashboard: Fix app stats tiles
bfa833b 
They broke with btcpayserver#4747, because they contain script blocks that are loaded asynchronuosly and need to get run once the chart data is added to the page.
@dennisreimann dennisreimann mentioned this pull request Mar 15, 2023
Merged
NicolasDorier added a commit that referenced this pull request Mar 16, 2023
@dennisreimann @NicolasDorier
Dashboard: Fix app stats tiles (#4775)
a671632 
* Dashboard: Fix app stats tiles

They broke with #4747, because they contain script blocks that are loaded asynchronuosly and need to get run once the chart data is added to the page.

* Refactor PoS dashboard component

* Collocate the component JS files in separate files

---------

Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@NicolasDorier