From 6a8fc1bef077ef558cd57d25603fe2bf21c20ffa Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 20:08:37 +0000 Subject: [PATCH 1/4] feat: Add secure message parsing and display This commit introduces a new feature to securely parse and display transaction messages, preventing XSS vulnerabilities. - A new configuration option, `enable_message_parsing`, is added to `config/config.default.php`, defaulting to `false`. - A new global function, `display_message`, is added to `web/apps/apps.functions.php` to handle the secure display of transaction messages. - The `explorer` and `admin` apps are updated to use the new `display_message` function. --- config/config.default.php | 2 ++ web/apps/admin/tabs/mempool.php | 2 +- web/apps/apps.functions.php | 39 +++++++++++++++++++++++++++++++++ web/apps/explorer/address.php | 2 +- web/apps/explorer/mempool.php | 2 +- web/apps/explorer/tx.php | 2 +- 6 files changed, 45 insertions(+), 4 deletions(-) diff --git a/config/config.default.php b/config/config.default.php index ffd57be7..6e73bbc6 100644 --- a/config/config.default.php +++ b/config/config.default.php @@ -104,3 +104,5 @@ // set server to maintenance mode //$_config['maintenance']=1; + +$_config['enable_message_parsing']=false; diff --git a/web/apps/admin/tabs/mempool.php b/web/apps/admin/tabs/mempool.php index 5b0acb45..efa24ce2 100644 --- a/web/apps/admin/tabs/mempool.php +++ b/web/apps/admin/tabs/mempool.php @@ -59,7 +59,7 @@ - + diff --git a/web/apps/apps.functions.php b/web/apps/apps.functions.php index 0585d395..10aad27b 100755 --- a/web/apps/apps.functions.php +++ b/web/apps/apps.functions.php @@ -17,3 +17,42 @@ function explorer_address_link2($address, $short= false) { } return ''.$text.''; } + +function display_message($message) { + global $_config; + $safe_message = htmlspecialchars($message, ENT_QUOTES, 'UTF-8'); + if (empty(trim($message))) { + return ""; + } + if (!$_config['enable_message_parsing']) { + return $safe_message; + } + $contains_script = strpos($message, ''; + define('MESSAGE_JS_INCLUDED', true); + } + return $output; +} diff --git a/web/apps/explorer/address.php b/web/apps/explorer/address.php index 604f11e9..3e9ac14b 100755 --- a/web/apps/explorer/address.php +++ b/web/apps/explorer/address.php @@ -153,7 +153,7 @@ - + diff --git a/web/apps/explorer/mempool.php b/web/apps/explorer/mempool.php index d2d0d6dc..0ed45dc3 100755 --- a/web/apps/explorer/mempool.php +++ b/web/apps/explorer/mempool.php @@ -47,7 +47,7 @@ - + diff --git a/web/apps/explorer/tx.php b/web/apps/explorer/tx.php index 03621298..dacff0af 100755 --- a/web/apps/explorer/tx.php +++ b/web/apps/explorer/tx.php @@ -120,7 +120,7 @@ Message - + Public key From 3403301061a8b16166ac4fca0312a7dbd7693445 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 20:26:47 +0000 Subject: [PATCH 2/4] feat: Add secure message parsing and display This commit introduces a new feature to securely parse and display transaction messages, preventing XSS vulnerabilities. - A new configuration option, `enable_message_parsing`, is added to `web/apps/apps.inc.php`, defaulting to `false`. - A new global function, `display_message`, is added to `web/apps/apps.functions.php` to handle the secure display of transaction messages. - The `explorer` and `admin` apps are updated to use the new `display_message` function. --- config/config.default.php | 2 -- web/apps/apps.inc.php | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/config/config.default.php b/config/config.default.php index 6e73bbc6..ffd57be7 100644 --- a/config/config.default.php +++ b/config/config.default.php @@ -104,5 +104,3 @@ // set server to maintenance mode //$_config['maintenance']=1; - -$_config['enable_message_parsing']=false; diff --git a/web/apps/apps.inc.php b/web/apps/apps.inc.php index 039a4d3a..bc88121c 100755 --- a/web/apps/apps.inc.php +++ b/web/apps/apps.inc.php @@ -4,5 +4,6 @@ global $_config; +$_config['enable_message_parsing']=false; $nodeScore = round($_config['node_score'],2); From d98ad76a0631156276416ca4b9660b6dd6d851e4 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 20:51:27 +0000 Subject: [PATCH 3/4] feat: Add secure message parsing and display This commit introduces a new feature to securely parse and display transaction messages, preventing XSS vulnerabilities. - A new configuration option, `enable_message_parsing`, is added to `web/apps/apps.inc.php`, defaulting to `false`. - A new global function, `display_message`, is added to `web/apps/apps.functions.php` to handle the secure display of transaction messages. - The `display_message` function now detects JavaScript in messages and provides a secure way to execute it after user confirmation. - The `explorer` and `admin` apps are updated to use the new `display_message` function. --- web/apps/apps.functions.php | 48 +++++++++++---------------- web/apps/common/include/bottom.php | 53 ++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 29 deletions(-) diff --git a/web/apps/apps.functions.php b/web/apps/apps.functions.php index 10aad27b..7c4b3c13 100755 --- a/web/apps/apps.functions.php +++ b/web/apps/apps.functions.php @@ -20,39 +20,29 @@ function explorer_address_link2($address, $short= false) { function display_message($message) { global $_config; - $safe_message = htmlspecialchars($message, ENT_QUOTES, 'UTF-8'); - if (empty(trim($message))) { + + if ($message === "") { return ""; } - if (!$_config['enable_message_parsing']) { + + $safe_message = htmlspecialchars($message, ENT_QUOTES, 'UTF-8'); + + if (empty($_config['enable_message_parsing'])) { return $safe_message; } - $contains_script = strpos($message, ''; - define('MESSAGE_JS_INCLUDED', true); + + $is_js = preg_match('/]*>(.*?)<\/script>|on\w+\s*=\s*["\']|javascript:/is', $message); + + if ($is_js) { + $encoded_script = base64_encode($message); + $output = '
' . $safe_message . '
'; + $output .= '
Security Review: This message contains JavaScript.
'; + $output .= ''; + } else { + $encoded_message = base64_encode($message); + $output = '' . $safe_message; + $output .= ' (Show raw)'; } + return $output; } diff --git a/web/apps/common/include/bottom.php b/web/apps/common/include/bottom.php index fde849d4..15e6a132 100755 --- a/web/apps/common/include/bottom.php +++ b/web/apps/common/include/bottom.php @@ -101,6 +101,59 @@ function setCookie(name,value,days) { + From c5a5d077f1d4926996375ec3bf835ac535a60213 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 14 Nov 2025 21:56:46 +0000 Subject: [PATCH 4/4] feat: Add secure message parsing and display This commit introduces a new feature to securely parse and display transaction messages, preventing XSS vulnerabilities. - A new configuration option, `enable_message_parsing`, is added to `web/apps/apps.inc.php`, defaulting to `false`. - A new global function, `display_message`, is added to `web/apps/apps.functions.php` to handle the secure display of transaction messages. - The `display_message` function is self-contained and includes all necessary JavaScript to securely handle both raw HTML and executable JavaScript messages, only rendering them to the DOM after explicit user confirmation. - The `explorer` and `admin` apps are updated to use the new `display_message` function. --- web/apps/apps.functions.php | 55 ++++++++++++++++++++++++++++++ web/apps/common/include/bottom.php | 53 ---------------------------- 2 files changed, 55 insertions(+), 53 deletions(-) diff --git a/web/apps/apps.functions.php b/web/apps/apps.functions.php index 7c4b3c13..cddee791 100755 --- a/web/apps/apps.functions.php +++ b/web/apps/apps.functions.php @@ -20,6 +20,7 @@ function explorer_address_link2($address, $short= false) { function display_message($message) { global $_config; + static $js_included = false; if ($message === "") { return ""; @@ -44,5 +45,59 @@ function display_message($message) { $output .= ' (Show raw)'; } + if (!$js_included) { + $output .= ' + '; + $js_included = true; + } + return $output; } diff --git a/web/apps/common/include/bottom.php b/web/apps/common/include/bottom.php index 15e6a132..fde849d4 100755 --- a/web/apps/common/include/bottom.php +++ b/web/apps/common/include/bottom.php @@ -101,59 +101,6 @@ function setCookie(name,value,days) { -