## Team,
I hope you are all doing well.
*. I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/account/apikeys.
*. During my research, I discovered that the api key label field is vulnerable to a stored HTML injection attack.
## Proof of Concept:
*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.
*. The link for the video is provided below for your review:
https://drive.google.com/file/d/1MJGqJui4wEchUDVlkrmdLS7GxEpaVqeb/view?usp=sharing
## Reproduction Steps:
*. Go to the website https://mainnet.demo.btcpayserver.org/account/apikeys
*. Click account.
*. Click manage account.
*. Then move on to the api endpoint.
*. That is https://mainnet.demo.btcpayserver.org/account/apikeys
*. Here, create api key with the label as a html payload.
*. Use the following HTML payload in the label field:
*. Generate the api key.
*. Now, click delete.
*. Check that deleting part rendered the html injection.
*. That’s the issue.
## Solution:
*. Restrict special characters and HTML encode attributes in the input fields.
*. Use regular expressions or other techniques to detect and reject malicious input.
*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.
*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.Read More