Skip to content

Commit

Permalink
[Core] Ensure all TPL variables are escaped
Browse files Browse the repository at this point in the history
  • Loading branch information
@BitcoinMitchell
BitcoinMitchell committed Feb 20, 2024
1 parent 6ec96f2 commit 97ef03a
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 38 deletions.
34 changes: 17 additions & 17 deletions modules/btcpay/views/templates/admin/invoice_block.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,20 +9,20 @@
<div class="row">
<div class="col-sm text-center">
<p class="text-muted mb-0"><strong>Invoice</strong></p>
<a class="configure-link" href="{$server_url}/invoices/{$invoice.id}" target="_blank" rel="noopener noreferrer nofollow">{$invoice.id}</a>
<a class="configure-link" href="{$server_url|escape:'htmlall':'UTF-8'}/invoices/{$invoice.id|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$invoice.id|escape:'htmlall':'UTF-8'}</a>
</div>

<div class="col-sm text-center">
<p class="text-muted mb-0"><strong>Status</strong></p>
<p class="mb-0">
{if $invoice.status == constant('\BTCPayServer\Result\Invoice::STATUS_EXPIRED')}
<span class="badge badge-danger">{$invoice.status}</span>
<span class="badge badge-danger">{$invoice.status|escape:'htmlall':'UTF-8'}</span>
{elseif $invoice.status == constant('\BTCPayServer\Result\Invoice::STATUS_PROCESSING') OR $invoice.status == constant('\BTCPayServer\Result\Invoice::ADDITIONAL_STATUS_PAID_PARTIAL') or $invoice.status == constant('\BTCPayServer\Result\Invoice::ADDITIONAL_STATUS_PAID_OVER')}
<span class="badge badge-warning">{$invoice.status}</span>
<span class="badge badge-warning">{$invoice.status|escape:'htmlall':'UTF-8'}</span>
{elseif $invoice.status == constant('\BTCPayServer\Result\Invoice::STATUS_SETTLED')}
<span class="badge badge-success">{$invoice.status}</span>
<span class="badge badge-success">{$invoice.status|escape:'htmlall':'UTF-8'}</span>
{else}
{$invoice.status}
{$invoice.status|escape:'htmlall':'UTF-8'}
{/if}
</p>
</div>
Expand All @@ -36,8 +36,8 @@
{foreach $paymentMethods as $paymentMethod}
{if not empty($paymentMethod->getPayments())}
{assign currencyCode "_"|explode:$paymentMethod.paymentMethod|current}
<a class="nav-item nav-link{if $paymentMethod@first} active{/if}" id="nav-{$currencyCode|strtolower}-tab" data-toggle="tab" href="#nav-{$currencyCode|strtolower}" role="tab" aria-controls="nav-{$currencyCode|strtolower}" aria-selected="true">
<strong>{$currencyCode}</strong>
<a class="nav-item nav-link{if $paymentMethod@first} active{/if}" id="nav-{$currencyCode|strtolower|escape:'htmlall':'UTF-8'}-tab" data-toggle="tab" href="#nav-{$currencyCode|strtolower|escape:'htmlall':'UTF-8'}" role="tab" aria-controls="nav-{$currencyCode|strtolower|escape:'htmlall':'UTF-8'}" aria-selected="true">
<strong>{$currencyCode|escape:'htmlall':'UTF-8'}</strong>
</a>
{/if}
{/foreach}
Expand All @@ -47,24 +47,24 @@
{foreach $paymentMethods as $paymentMethod}
{if not empty($paymentMethod->getPayments())}
{assign currencyCode "_"|explode:$paymentMethod.paymentMethod|current}
<div class="tab-pane fade{if $paymentMethod@first} show active{/if}" id="nav-{$currencyCode|strtolower}" role="tabpanel" aria-labelledby="nav-{$currencyCode|strtolower}-tab">
<table id="{$currencyCode}-details" class="table table-bordered my-2">
<div class="tab-pane fade{if $paymentMethod@first} show active{/if}" id="nav-{$currencyCode|strtolower|escape:'htmlall':'UTF-8'}" role="tabpanel" aria-labelledby="nav-{$currencyCode|strtolower|escape:'htmlall':'UTF-8'}-tab">
<table id="{$currencyCode|escape:'htmlall':'UTF-8'}-details" class="table table-bordered my-2">
<thead>
<tr>
<th class="table-head-rate">{l s='Rate' d='Modules.Btcpay.Global'}</th>
<th class="table-head-cart-amount">{l s='Invoice amount' d='Modules.Btcpay.Global'}</th>
<th class="table-head-paid-amount">{l s='Total amount paid in %s' sprintf=[$currencyCode] d='Modules.Btcpay.Global'}</th>
<th class="table-head-paid-amount">{l s='Total amount paid in %s' sprintf=[$currencyCode|escape:'htmlall':'UTF-8'] d='Modules.Btcpay.Global'}</th>
</tr>
</thead>
<tbody>
<tr>
<td>{$storeCurrency} {$paymentMethod.rate}</td>
<td>{$paymentMethod.amount} {$paymentMethod.paymentMethod}</td>
<td>{$paymentMethod.paymentMethodPaid} {$paymentMethod.paymentMethod}</td>
<td>{$storeCurrency|escape:'htmlall':'UTF-8'} {$paymentMethod.rate|escape:'htmlall':'UTF-8'}</td>
<td>{$paymentMethod.amount|escape:'htmlall':'UTF-8'} {$paymentMethod.paymentMethod|escape:'htmlall':'UTF-8'}</td>
<td>{$paymentMethod.paymentMethodPaid|escape:'htmlall':'UTF-8'} {$paymentMethod.paymentMethod|escape:'htmlall':'UTF-8'}</td>
</tr>
</tbody>
</table>
<table id="{$currencyCode}-payments" class="table table-bordered my-2">
<table id="{$currencyCode|escape:'htmlall':'UTF-8'}-payments" class="table table-bordered my-2">
<thead>
<tr>
<th class="table-head-date">{l s='Date' d='Modules.Btcpay.Global'}</th>
Expand All @@ -76,11 +76,11 @@
{foreach $paymentMethod->getPayments() as $payment}
<tr>
<td>{$payment->getReceivedTimestamp()|date_format:"%Y-%m-%d %T"}</td>
<td>{$payment.value} {$currencyCode}</td>
<td>{$payment.value|escape:'htmlall':'UTF-8'} {$currencyCode|escape:'htmlall':'UTF-8'}</td>
{if $currencyCode == 'BTC'}
<td><a href="https://mempool.space/tx/{$payment->getTransactionId()}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()}</a></td>
<td><a href="https://mempool.space/tx/{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}</a></td>
{else}
<td><a href="https://blockchair.com/search?q={$payment->getTransactionId()}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()}</a></td>
<td><a href="https://blockchair.com/search?q={$payment->getTransactionId()|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}</a></td>
{/if}
</tr>
{/foreach}
Expand Down
22 changes: 11 additions & 11 deletions modules/btcpay/views/templates/hooks/order_detail.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<div class="row">
<div class="col-md-4 m-1 my-2">
<p class="text-muted mb-0"><strong>Invoice</strong></p>
<a class="configure-link" href="{$serverURL}/i/{$invoice.id}" target="_blank" rel="noopener noreferrer nofollow">{$invoice.id}</a>
<a class="configure-link" href="{$serverURL|escape:'htmlall':'UTF-8'}/i/{$invoice.id|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$invoice.id|escape:'htmlall':'UTF-8'}</a>
</div>
<div class="col-md-4 m-1 my-2">
<p class="text-muted mb-0"><strong>Status</strong></p>
Expand All @@ -28,26 +28,26 @@
{foreach $paymentMethods as $paymentMethod}
{if not empty($paymentMethod->getPayments())}
{assign currencyCode "_"|explode:$paymentMethod.paymentMethod|current}
<h5 class="mt-2 mb-0">{$currencyCode}</h5>
<h5 class="mt-2 mb-0">{$currencyCode|escape:'htmlall':'UTF-8'}</h5>

<table id="{$currencyCode}-details" class="table table-bordered my-2">
<table id="{$currencyCode|escape:'htmlall':'UTF-8'}-details" class="table table-bordered my-2">
<thead>
<tr>
<th class="table-head-rate">{l s='Rate' d='Modules.Btcpay.Global'}</th>
<th class="table-head-cart-amount">{l s='Invoice amount' d='Modules.Btcpay.Global'}</th>
<th class="table-head-paid-amount">{l s='Total amount paid in %s' sprintf=[$currencyCode] d='Modules.Btcpay.Global'}</th>
<th class="table-head-paid-amount">{l s='Total amount paid in %s' sprintf=[$currencyCode|escape:'htmlall':'UTF-8'] d='Modules.Btcpay.Global'}</th>
</tr>
</thead>
<tbody>
<tr>
<td>{$storeCurrency} {$paymentMethod.rate}</td>
<td>{$paymentMethod.amount} {$paymentMethod.paymentMethod}</td>
<td>{$paymentMethod.paymentMethodPaid} {$paymentMethod.paymentMethod}</td>
<td>{$storeCurrency|escape:'htmlall':'UTF-8'} {$paymentMethod.rate|escape:'htmlall':'UTF-8'}</td>
<td>{$paymentMethod.amount|escape:'htmlall':'UTF-8'} {$paymentMethod.paymentMethod|escape:'htmlall':'UTF-8'}</td>
<td>{$paymentMethod.paymentMethodPaid|escape:'htmlall':'UTF-8'} {$paymentMethod.paymentMethod|escape:'htmlall':'UTF-8'}</td>
</tr>
</tbody>
</table>

<table id="{$currencyCode}-payments" class="table table-bordered my-2">
<table id="{$currencyCode|escape:'htmlall':'UTF-8'}-payments" class="table table-bordered my-2">
<thead>
<tr>
<th class="table-head-date">{l s='Date' d='Modules.Btcpay.Global'}</th>
Expand All @@ -59,11 +59,11 @@
{foreach $paymentMethod->getPayments() as $payment}
<tr>
<td>{$payment->getReceivedTimestamp()|date_format:"%Y-%m-%d %T"}</td>
<td>{$payment.value} {$currencyCode}</td>
<td>{$payment.value|escape:'htmlall':'UTF-8'} {$currencyCode|escape:'htmlall':'UTF-8'}</td>
{if $currencyCode == 'BTC'}
<td><a href="https://mempool.space/tx/{$payment->getTransactionId()}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()}</a></td>
<td><a href="https://mempool.space/tx/{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}</a></td>
{else}
<td><a href="https://blockchair.com/search?q={$payment->getTransactionId()}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()}</a></td>
<td><a href="https://blockchair.com/search?q={$payment->getTransactionId()|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}</a></td>
{/if}
</tr>
{/foreach}
Expand Down
4 changes: 2 additions & 2 deletions modules/btcpay/views/templates/hooks/payment_option.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@
<p class="mb-1"><strong>{l s='Supported payment methods' d='Modules.Btcpay.Front'}</strong>:</p>
<dl>
{foreach $offChain as $paymentMethod}
<dt>{$paymentMethod.cryptoCode} Lightning ⚡</dt>
<dt>{$paymentMethod.cryptoCode|escape:'htmlall':'UTF-8'} Lightning ⚡</dt>
{/foreach}
{foreach $onChain as $paymentMethod}
<dt>{$paymentMethod.cryptoCode} (On-Chain)</dt>
<dt>{$paymentMethod.cryptoCode|escape:'htmlall':'UTF-8'} (On-Chain)</dt>
{/foreach}
</dl>
</section>
16 changes: 8 additions & 8 deletions modules/btcpay/views/templates/hooks/payment_return.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,17 @@
{if $order_state == $os_paid}
<p>{l s='Your order has been paid for.' d='Modules.Btcpay.Front'}</p>
<p><strong>{l s="We will ship out your order as soon as we're able to." d='Modules.Btcpay.Front'}</strong></p>
<p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'html'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
<p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'htmlall':'UTF-8'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
{elseif $order_state == $os_failed}
<p class="warning">{l s='The invoice was not succesfully paid. Either because the invoice expired or your transaction never confirmed.' d='Modules.Btcpay.Front'}</p>
<p>{l s='If you think this is an error, feel free to contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'html'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
<p>{l s='If you think this is an error, feel free to contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'htmlall':'UTF-8'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
{elseif $order_state == $os_waiting}
<p>{l s="Your order is awaiting payment. If you haven't paid yet, you can <a href='%s' title='Go to the payment page' target='_blank'>click here to go back to the payment page</a>." sprintf=[$bitcoinPayment->getRedirect()] d='Modules.Btcpay.Front'|escape:'html'}</p>
<p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'html'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
<p>{l s="Your order is awaiting payment. If you haven't paid yet, you can <a href='%s' title='Go to the payment page' target='_blank'>click here to go back to the payment page</a>." sprintf=[$bitcoinPayment->getRedirect()] d='Modules.Btcpay.Front'|escape:'htmlall':'UTF-8'}</p>
<p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'htmlall':'UTF-8'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
{elseif $order_state == $os_confirming}
<p>{l s='Your order is awaiting confirmations.' d='Modules.Btcpay.Front'}</p>
<p>{l s='Your order will be processed as soon as your payment is confirmed by the relevant crypto network.' d='Modules.Btcpay.Front'}</p>
<p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'html'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
<p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'htmlall':'UTF-8'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
{/if}
<hr/>
<table class="table table-striped table-bordered table-labeled hidden-xs-down">
Expand All @@ -25,10 +25,10 @@
<tbody>
{foreach from=$presenter.history item=state}
<tr>
<td>{$state.history_date}</td>
<td>{$state.history_date|escape:'htmlall':'UTF-8'}</td>
<td>
<span class="label label-pill {$state.contrast}" style="background-color:{$state.color}">
{$state.ostate_name}
<span class="label label-pill {$state.contrast|escape:'htmlall':'UTF-8'}" style="background-color:{$state.color}">
{$state.ostate_name|escape:'htmlall':'UTF-8'}
</span>
</td>
</tr>
Expand Down

0 comments on commit 97ef03a

Please sign in to comment.