From dd8782f68140a05f4fc4084aceb5e892ef4c27b7 Mon Sep 17 00:00:00 2001
From: BitcoinMitchell <BitcoinMitchell@users.noreply.github.com>
Date: Mon, 19 Feb 2024 23:10:01 +0100
Subject: [PATCH] [Core] Ensure all TPL variables are escaped

---
 .../views/templates/admin/invoice_block.tpl   | 26 +++++++++----------
 .../views/templates/hooks/order_detail.tpl    | 22 ++++++++--------
 .../views/templates/hooks/payment_option.tpl  |  4 +--
 .../views/templates/hooks/payment_return.tpl  | 16 ++++++------
 4 files changed, 34 insertions(+), 34 deletions(-)

diff --git a/modules/btcpay/views/templates/admin/invoice_block.tpl b/modules/btcpay/views/templates/admin/invoice_block.tpl
index 7f7c0a4..99041d6 100644
--- a/modules/btcpay/views/templates/admin/invoice_block.tpl
+++ b/modules/btcpay/views/templates/admin/invoice_block.tpl
@@ -9,7 +9,7 @@
         <div class="row">
           <div class="col-sm text-center">
             <p class="text-muted mb-0"><strong>Invoice</strong></p>
-            <a class="invoice-link font-size-100" href="{$server_url}/invoices/{$invoice.id}" target="_blank" rel="noopener noreferrer nofollow">{$invoice.id}</a>
+            <a class="invoice-link font-size-100" href="{$server_url|escape:'htmlall':'UTF-8'}/invoices/{$invoice.id|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$invoice.id|escape:'htmlall':'UTF-8'}</a>
           </div>
 
           <div class="col-sm text-center">
@@ -50,8 +50,8 @@
         {foreach $paymentMethods as $paymentMethod}
           {if not empty($paymentMethod->getPayments())}
             {assign currencyCode "_"|explode:$paymentMethod.paymentMethod|current}
-            <a class="nav-item nav-link{if $paymentMethod@first} active{/if}" id="nav-{$currencyCode|strtolower}-tab" data-toggle="tab" href="#nav-{$currencyCode|strtolower}" role="tab" aria-controls="nav-{$currencyCode|strtolower}" aria-selected="true">
-              <strong>{$currencyCode}</strong>
+            <a class="nav-item nav-link{if $paymentMethod@first} active{/if}" id="nav-{$currencyCode|strtolower|escape:'htmlall':'UTF-8'}-tab" data-toggle="tab" href="#nav-{$currencyCode|strtolower|escape:'htmlall':'UTF-8'}" role="tab" aria-controls="nav-{$currencyCode|strtolower|escape:'htmlall':'UTF-8'}" aria-selected="true">
+              <strong>{$currencyCode|escape:'htmlall':'UTF-8'}</strong>
             </a>
           {/if}
         {/foreach}
@@ -61,24 +61,24 @@
       {foreach $paymentMethods as $paymentMethod}
         {if not empty($paymentMethod->getPayments())}
               {assign currencyCode "_"|explode:$paymentMethod.paymentMethod|current}
-              <div class="tab-pane fade{if $paymentMethod@first} show active{/if}" id="nav-{$currencyCode|strtolower}" role="tabpanel" aria-labelledby="nav-{$currencyCode|strtolower}-tab">
-                <table id="{$currencyCode}-details" class="table table-bordered my-2">
+              <div class="tab-pane fade{if $paymentMethod@first} show active{/if}" id="nav-{$currencyCode|strtolower|escape:'htmlall':'UTF-8'}" role="tabpanel" aria-labelledby="nav-{$currencyCode|strtolower|escape:'htmlall':'UTF-8'}-tab">
+                <table id="{$currencyCode|escape:'htmlall':'UTF-8'}-details" class="table table-bordered my-2">
                   <thead>
                   <tr>
                     <th class="table-head-rate">{l s='Rate' d='Modules.Btcpay.Global'}</th>
                     <th class="table-head-cart-amount">{l s='Invoice amount' d='Modules.Btcpay.Global'}</th>
-                    <th class="table-head-paid-amount">{l s='Total amount paid in %s' sprintf=[$currencyCode] d='Modules.Btcpay.Global'}</th>
+                    <th class="table-head-paid-amount">{l s='Total amount paid in %s' sprintf=[$currencyCode|escape:'htmlall':'UTF-8'] d='Modules.Btcpay.Global'}</th>
                   </tr>
                   </thead>
                   <tbody>
                   <tr>
-                    <td>{$storeCurrency} {$paymentMethod.rate}</td>
-                    <td>{$paymentMethod.amount} {$paymentMethod.paymentMethod}</td>
-                    <td>{$paymentMethod.paymentMethodPaid} {$paymentMethod.paymentMethod}</td>
+                    <td>{$storeCurrency|escape:'htmlall':'UTF-8'} {$paymentMethod.rate|escape:'htmlall':'UTF-8'}</td>
+                    <td>{$paymentMethod.amount|escape:'htmlall':'UTF-8'} {$paymentMethod.paymentMethod|escape:'htmlall':'UTF-8'}</td>
+                    <td>{$paymentMethod.paymentMethodPaid|escape:'htmlall':'UTF-8'} {$paymentMethod.paymentMethod|escape:'htmlall':'UTF-8'}</td>
                   </tr>
                   </tbody>
                 </table>
-                <table id="{$currencyCode}-payments" class="table table-bordered my-2">
+                <table id="{$currencyCode|escape:'htmlall':'UTF-8'}-payments" class="table table-bordered my-2">
                   <thead>
                   <tr>
                     <th class="table-head-date">{l s='Date' d='Modules.Btcpay.Global'}</th>
@@ -90,11 +90,11 @@
                   {foreach $paymentMethod->getPayments() as $payment}
                     <tr>
                       <td>{$payment->getReceivedTimestamp()|date_format:"%Y-%m-%d %T"}</td>
-                      <td>{$payment.value} {$currencyCode}</td>
+                      <td>{$payment.value|escape:'htmlall':'UTF-8'} {$currencyCode|escape:'htmlall':'UTF-8'}</td>
                         {if $currencyCode == 'BTC'}
-                          <td><a href="https://mempool.space/tx/{$payment->getTransactionId()}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()}</a></td>
+                          <td><a href="https://mempool.space/tx/{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}</a></td>
                         {else}
-                          <td><a href="https://blockchair.com/search?q={$payment->getTransactionId()}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()}</a></td>
+                          <td><a href="https://blockchair.com/search?q={$payment->getTransactionId()|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}</a></td>
                         {/if}
                     </tr>
                   {/foreach}
diff --git a/modules/btcpay/views/templates/hooks/order_detail.tpl b/modules/btcpay/views/templates/hooks/order_detail.tpl
index e7d6f18..665f376 100644
--- a/modules/btcpay/views/templates/hooks/order_detail.tpl
+++ b/modules/btcpay/views/templates/hooks/order_detail.tpl
@@ -3,7 +3,7 @@
   <div class="row">
     <div class="col-md-4 m-1 my-2">
       <p class="text-muted mb-0"><strong>Invoice</strong></p>
-      <a class="configure-link" href="{$serverURL}/i/{$invoice.id}" target="_blank" rel="noopener noreferrer nofollow">{$invoice.id}</a>
+      <a class="configure-link" href="{$serverURL|escape:'htmlall':'UTF-8'}/i/{$invoice.id|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$invoice.id|escape:'htmlall':'UTF-8'}</a>
     </div>
     <div class="col-md-4 m-1 my-2">
       <p class="text-muted mb-0"><strong>Status</strong></p>
@@ -28,26 +28,26 @@
   {foreach $paymentMethods as $paymentMethod}
     {if not empty($paymentMethod->getPayments())}
       {assign currencyCode "_"|explode:$paymentMethod.paymentMethod|current}
-      <h5 class="mt-2 mb-0">{$currencyCode}</h5>
+      <h5 class="mt-2 mb-0">{$currencyCode|escape:'htmlall':'UTF-8'}</h5>
 
-      <table id="{$currencyCode}-details" class="table table-bordered my-2">
+      <table id="{$currencyCode|escape:'htmlall':'UTF-8'}-details" class="table table-bordered my-2">
         <thead>
         <tr>
           <th class="table-head-rate">{l s='Rate' d='Modules.Btcpay.Global'}</th>
           <th class="table-head-cart-amount">{l s='Invoice amount' d='Modules.Btcpay.Global'}</th>
-          <th class="table-head-paid-amount">{l s='Total amount paid in %s' sprintf=[$currencyCode] d='Modules.Btcpay.Global'}</th>
+          <th class="table-head-paid-amount">{l s='Total amount paid in %s' sprintf=[$currencyCode|escape:'htmlall':'UTF-8'] d='Modules.Btcpay.Global'}</th>
         </tr>
         </thead>
         <tbody>
         <tr>
-          <td>{$storeCurrency} {$paymentMethod.rate}</td>
-          <td>{$paymentMethod.amount} {$paymentMethod.paymentMethod}</td>
-          <td>{$paymentMethod.paymentMethodPaid} {$paymentMethod.paymentMethod}</td>
+          <td>{$storeCurrency|escape:'htmlall':'UTF-8'} {$paymentMethod.rate|escape:'htmlall':'UTF-8'}</td>
+          <td>{$paymentMethod.amount|escape:'htmlall':'UTF-8'} {$paymentMethod.paymentMethod|escape:'htmlall':'UTF-8'}</td>
+          <td>{$paymentMethod.paymentMethodPaid|escape:'htmlall':'UTF-8'} {$paymentMethod.paymentMethod|escape:'htmlall':'UTF-8'}</td>
         </tr>
         </tbody>
       </table>
 
-      <table id="{$currencyCode}-payments" class="table table-bordered my-2">
+      <table id="{$currencyCode|escape:'htmlall':'UTF-8'}-payments" class="table table-bordered my-2">
         <thead>
         <tr>
           <th class="table-head-date">{l s='Date' d='Modules.Btcpay.Global'}</th>
@@ -59,11 +59,11 @@
         {foreach $paymentMethod->getPayments() as $payment}
           <tr>
             <td>{$payment->getReceivedTimestamp()|date_format:"%Y-%m-%d %T"}</td>
-            <td>{$payment.value} {$currencyCode}</td>
+            <td>{$payment.value|escape:'htmlall':'UTF-8'} {$currencyCode|escape:'htmlall':'UTF-8'}</td>
               {if $currencyCode == 'BTC'}
-                <td><a href="https://mempool.space/tx/{$payment->getTransactionId()}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()}</a></td>
+                <td><a href="https://mempool.space/tx/{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}</a></td>
               {else}
-                <td><a href="https://blockchair.com/search?q={$payment->getTransactionId()}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()}</a></td>
+                <td><a href="https://blockchair.com/search?q={$payment->getTransactionId()|escape:'htmlall':'UTF-8'}" target="_blank" rel="noopener noreferrer nofollow">{$payment->getTransactionId()|escape:'htmlall':'UTF-8'}</a></td>
               {/if}
           </tr>
         {/foreach}
diff --git a/modules/btcpay/views/templates/hooks/payment_option.tpl b/modules/btcpay/views/templates/hooks/payment_option.tpl
index 54228ee..9296384 100644
--- a/modules/btcpay/views/templates/hooks/payment_option.tpl
+++ b/modules/btcpay/views/templates/hooks/payment_option.tpl
@@ -4,10 +4,10 @@
   <p class="mb-1"><strong>{l s='Supported payment methods' d='Modules.Btcpay.Front'}</strong>:</p>
   <dl>
       {foreach $offChain as $paymentMethod}
-        <dt>{$paymentMethod.cryptoCode} Lightning ⚡</dt>
+        <dt>{$paymentMethod.cryptoCode|escape:'htmlall':'UTF-8'} Lightning ⚡</dt>
       {/foreach}
       {foreach $onChain as $paymentMethod}
-        <dt>{$paymentMethod.cryptoCode} (On-Chain)</dt>
+        <dt>{$paymentMethod.cryptoCode|escape:'htmlall':'UTF-8'} (On-Chain)</dt>
       {/foreach}
   </dl>
 </section>
diff --git a/modules/btcpay/views/templates/hooks/payment_return.tpl b/modules/btcpay/views/templates/hooks/payment_return.tpl
index 9c3d8c3..4e907ad 100644
--- a/modules/btcpay/views/templates/hooks/payment_return.tpl
+++ b/modules/btcpay/views/templates/hooks/payment_return.tpl
@@ -2,17 +2,17 @@
 {if $order_state == $os_paid}
   <p>{l s='Your order has been paid for.' d='Modules.Btcpay.Front'}</p>
   <p><strong>{l s="We will ship out your order as soon as we're able to." d='Modules.Btcpay.Front'}</strong></p>
-  <p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'html'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
+  <p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'htmlall':'UTF-8'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
 {elseif $order_state == $os_failed}
   <p class="warning">{l s='The invoice was not succesfully paid. Either because the invoice expired or your transaction never confirmed.' d='Modules.Btcpay.Front'}</p>
-  <p>{l s='If you think this is an error, feel free to contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'html'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
+  <p>{l s='If you think this is an error, feel free to contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'htmlall':'UTF-8'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
 {elseif $order_state == $os_waiting}
-  <p>{l s="Your order is awaiting payment. If you haven't paid yet, you can <a href='%s' title='Go to the payment page' target='_blank'>click here to go back to the payment page</a>." sprintf=[$bitcoinPayment->getRedirect()] d='Modules.Btcpay.Front'|escape:'html'}</p>
-  <p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'html'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
+  <p>{l s="Your order is awaiting payment. If you haven't paid yet, you can <a href='%s' title='Go to the payment page' target='_blank'>click here to go back to the payment page</a>." sprintf=[$bitcoinPayment->getRedirect()] d='Modules.Btcpay.Front'|escape:'htmlall':'UTF-8'}</p>
+  <p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'htmlall':'UTF-8'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
 {elseif $order_state == $os_confirming}
   <p>{l s='Your order is awaiting confirmations.' d='Modules.Btcpay.Front'}</p>
   <p>{l s='Your order will be processed as soon as your payment is confirmed by the relevant crypto network.' d='Modules.Btcpay.Front'}</p>
-  <p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'html'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
+  <p>{l s='If you have questions, comments or concerns, please contact our' d='Modules.Btcpay.Front'} <a href="{$link->getPageLink('contact', true)|escape:'htmlall':'UTF-8'}">{l s='expert customer support team.' d='Modules.Btcpay.Front'}</a></p>
 {/if}
 <hr/>
 <table class="table table-striped table-bordered table-labeled hidden-xs-down">
@@ -25,10 +25,10 @@
   <tbody>
   {foreach from=$presenter.history item=state}
     <tr>
-      <td>{$state.history_date}</td>
+      <td>{$state.history_date|escape:'htmlall':'UTF-8'}</td>
       <td>
-        <span class="label label-pill {$state.contrast}" style="background-color:{$state.color}">
-          {$state.ostate_name}
+        <span class="label label-pill {$state.contrast|escape:'htmlall':'UTF-8'}" style="background-color:{$state.color}">
+          {$state.ostate_name|escape:'htmlall':'UTF-8'}
         </span>
       </td>
     </tr>