Skip to content

fix(payment-widget): prevent DOM XSS via label/memo; restrict callbacks#152

Merged
Scottcjn merged 1 commit intoScottcjn:masterfrom
David-code-tang:codex/payment-widget-hardening-67
Feb 13, 2026
Merged

fix(payment-widget): prevent DOM XSS via label/memo; restrict callbacks#152
Scottcjn merged 1 commit intoScottcjn:masterfrom
David-code-tang:codex/payment-widget-hardening-67

Conversation

@David-code-tang
Copy link
Contributor

@David-code-tang David-code-tang commented Feb 13, 2026

Bounty #67: Payment widget XSS/injection hardening.

Findings (before patch):

  • DOM XSS via data-label: createButton() set btn.innerHTML = LOGO_SVG + config.label.
  • DOM XSS via data-memo / data-to: modal summary interpolated memo/to directly into overlay.innerHTML.
  • Inline onclick in success UI (CSP-unfriendly).
  • Callback URL accepted arbitrary origin (SSRF-style footgun for integrators).

Fix:

  • Render label/memo/to/tx_hash via text nodes/textContent.
  • Validate recipient format (RTC + 40 hex) and normalize amount.
  • Default-deny running inside iframes unless data-allow-iframe="true".
  • Callback URL is same-origin only by default; optional override via data-allow-callback-any-origin="true".
  • Added PoCs in payment-widget/poc/.

PoCs:

  • payment-widget/poc/xss-label.html
  • payment-widget/poc/xss-memo.html

Wallet: davidtang-codex

@David-code-tang David-code-tang mentioned this pull request Feb 13, 2026
Open
@David-code-tang
Copy link
Contributor Author

David-code-tang commented Feb 13, 2026

Ping for review: this PR patches DOM XSS sinks (data-label/data-memo), adds PoCs, and restricts callback/iframe defaults.

Scottcjn
Scottcjn approved these changes Feb 13, 2026
View reviewed changes
Copy link
Owner

@Scottcjn Scottcjn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved — Payment widget XSS hardening.

Sanitizing label/memo fields and restricting callback URLs prevents DOM XSS injection through the payment widget. Good defensive coding.

Note: This overlaps with #143 (liu971227-sys) but this PR is cleaner and more focused. #143 will be closed as duplicate.

@Scottcjn Scottcjn mentioned this pull request Feb 13, 2026
Closed
@Scottcjn Scottcjn merged commit 7ba4e39 into Scottcjn:master Feb 13, 2026
@Scottcjn
Copy link
Owner

Scottcjn commented Feb 13, 2026

Merged — Thank you! 🎉

This PR has been merged. You've earned an RTC bounty for this security fix.

To receive your RTC reward, please reply with:

  1. Your RTC wallet address (if you have one from the RustChain wallet)
  2. OR a wallet name you'd like us to create for you (e.g., david-security)

We'll process the transfer within 24 hours of receiving your wallet info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Scottcjn Scottcjn Scottcjn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@David-code-tang @Scottcjn