## Team,

I hope you are all doing well.

*. I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/account/apikeys.

*. During my research, I discovered that the api key label field is vulnerable to a stored HTML injection attack.

## Proof of Concept:

*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.

*. The link for the video is provided below for your review:

https://drive.google.com/file/d/1MJGqJui4wEchUDVlkrmdLS7GxEpaVqeb/view?usp=sharing

## Reproduction Steps:

*. Go to the website https://mainnet.demo.btcpayserver.org/account/apikeys

*. Click account.

*. Click manage account.

*. Then move on to the api endpoint.

*. That is https://mainnet.demo.btcpayserver.org/account/apikeys

*. Here, create api key with the label as a html payload.

*. Use the following HTML payload in the label field:

clickhere

*. Generate the api key.

*. Now, click delete.

*. Check that deleting part rendered the html injection.

*. That’s the issue.

## Solution:

*. Restrict special characters and HTML encode attributes in the input fields.

*. Use regular expressions or other techniques to detect and reject malicious input.

*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.

*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.Read More