From 87d39749e35be46f066939efdb22d006a6e8d3b7 Mon Sep 17 00:00:00 2001
From: Pavlenex <36959754+pavlenex@users.noreply.github.com>
Date: Thu, 12 Feb 2026 22:33:48 +0400
Subject: [PATCH] Security headers and sanitizing links

---
 .gitignore                       | 15 +++++++++++++++
 index.html                       |  1 +
 public/.well-known/security.txt  |  4 ++++
 public/404.html                  |  1 +
 public/robots.txt                |  1 -
 src/components/Footer.tsx        |  3 ++-
 src/components/MerchantCard.tsx  |  3 ++-
 src/components/ThemeProvider.tsx |  8 +++++---
 src/lib/url.ts                   | 15 +++++++++++++++
 src/pages/Directory.tsx          | 23 +++++++++++++++++------
 10 files changed, 62 insertions(+), 12 deletions(-)
 create mode 100644 public/.well-known/security.txt
 create mode 100644 src/lib/url.ts

diff --git a/.gitignore b/.gitignore
index 1cf7629..7999938 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,18 @@ node_modules
 dist
 .vite
 *.local
+
+# Environment files
+.env
+.env.*
+
+# IDE
+.idea
+.vscode
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
diff --git a/index.html b/index.html
index ed3ca77..5913257 100644
--- a/index.html
+++ b/index.html
@@ -3,6 +3,7 @@
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self'; manifest-src 'self'; connect-src 'self' ws:; base-uri 'self'; form-action 'none';" />
     <title>BTCPay Server Directory</title>
     <meta name="description" content="The definitive list of merchants, creators, and organizations empowering the circular economy with BTCPay Server." />
     <meta property="og:title" content="BTCPay Server Directory" />
diff --git a/public/.well-known/security.txt b/public/.well-known/security.txt
new file mode 100644
index 0000000..ac2f91d
--- /dev/null
+++ b/public/.well-known/security.txt
@@ -0,0 +1,4 @@
+Contact: https://github.com/btcpayserver/btcpayserver/security/policy
+Expires: 2027-02-12T00:00:00.000Z
+Preferred-Languages: en
+Policy: https://github.com/btcpayserver/btcpayserver/security/policy
diff --git a/public/404.html b/public/404.html
index 5e8ed12..fe8bf25 100644
--- a/public/404.html
+++ b/public/404.html
@@ -2,6 +2,7 @@
 <html>
   <head>
     <meta charset="utf-8" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'sha256-NOsINjbGOHhhnL1zwiLd/YHQjMqa6X9gVcT3uvwiOpE=';" />
     <title>BTCPay Server Directory</title>
     <script>
       // Redirect all 404s to the root for SPA support on GitHub Pages
diff --git a/public/robots.txt b/public/robots.txt
index 9b8d374..c2a49f4 100644
--- a/public/robots.txt
+++ b/public/robots.txt
@@ -1,3 +1,2 @@
 User-agent: *
 Allow: /
-Sitemap: https://directory.btcpayserver.org/sitemap.xml
diff --git a/src/components/Footer.tsx b/src/components/Footer.tsx
index 7a0c60d..44f203d 100644
--- a/src/components/Footer.tsx
+++ b/src/components/Footer.tsx
@@ -1,6 +1,7 @@
 import { Github, Twitter } from "lucide-react";
 import SupporterSprite from "@/components/SupporterSprite";
 import { supporters } from "@/data/supporters";
+import { safeUrl } from "@/lib/url";
 
 export default function Footer() {
   return (
@@ -13,7 +14,7 @@ export default function Footer() {
             {supporters.map((s) => (
               <a
                 key={s.svgId}
-                href={s.url}
+                href={safeUrl(s.url)}
                 target="_blank"
                 rel="noreferrer"
                 title={s.name}
diff --git a/src/components/MerchantCard.tsx b/src/components/MerchantCard.tsx
index 74b7fcf..1d0919a 100644
--- a/src/components/MerchantCard.tsx
+++ b/src/components/MerchantCard.tsx
@@ -2,6 +2,7 @@ import type { Merchant } from "@/data/categories";
 import { Badge } from "@/components/ui/badge";
 import { ExternalLink } from "lucide-react";
 import { subTypeLabels, countryFlag, hostedBtcpayCountries } from "@/data/categories";
+import { safeUrl } from "@/lib/url";
 
 interface MerchantCardProps {
   merchant: Merchant;
@@ -59,7 +60,7 @@ export default function MerchantCard({ merchant }: MerchantCardProps) {
 
       {/* Action */}
       <a
-        href={merchant.url}
+        href={safeUrl(merchant.url)}
         target="_blank"
         rel="noreferrer"
         className="absolute inset-0 z-10 focus:outline-none focus:ring-2 focus:ring-primary/50 rounded-2xl sm:rounded-3xl"
diff --git a/src/components/ThemeProvider.tsx b/src/components/ThemeProvider.tsx
index ae73ee4..c155fb3 100644
--- a/src/components/ThemeProvider.tsx
+++ b/src/components/ThemeProvider.tsx
@@ -26,9 +26,11 @@ export function ThemeProvider({
   storageKey = "vite-ui-theme",
   ...props
 }: ThemeProviderProps) {
-  const [theme, setTheme] = useState<Theme>(
-    () => (localStorage.getItem(storageKey) as Theme) || defaultTheme
-  )
+  const [theme, setTheme] = useState<Theme>(() => {
+    const stored = localStorage.getItem(storageKey);
+    const valid: string[] = ["dark", "light", "system"];
+    return stored && valid.includes(stored) ? (stored as Theme) : defaultTheme;
+  })
 
   useEffect(() => {
     const root = window.document.documentElement
diff --git a/src/lib/url.ts b/src/lib/url.ts
new file mode 100644
index 0000000..acb523d
--- /dev/null
+++ b/src/lib/url.ts
@@ -0,0 +1,15 @@
+/**
+ * Validates that a URL uses a safe protocol (http: or https:).
+ * Returns the URL unchanged if safe, or "#" as a safe fallback.
+ * Prevents javascript:, data:, vbscript:, and other dangerous protocol URLs.
+ */
+export function safeUrl(url: string): string {
+  try {
+    const parsed = new URL(url, window.location.origin);
+    return parsed.protocol === "https:" || parsed.protocol === "http:"
+      ? url
+      : "#";
+  } catch {
+    return "#";
+  }
+}
diff --git a/src/pages/Directory.tsx b/src/pages/Directory.tsx
index a23d39e..ad661c1 100644
--- a/src/pages/Directory.tsx
+++ b/src/pages/Directory.tsx
@@ -1,7 +1,7 @@
 import { useState, useMemo, useEffect, useCallback } from "react";
 import merchantsData from "@/data/merchants.json";
 import type { Merchant } from "@/data/categories";
-import { typeMap } from "@/data/categories";
+import { typeMap, mainTypes, merchantSubTypes, hostedBtcpayCountries } from "@/data/categories";
 import MerchantCard from "@/components/MerchantCard";
 import DirectoryFilters from "@/components/DirectoryFilters";
 import Navbar from "@/components/Navbar";
@@ -30,13 +30,24 @@ function shuffle<T>(array: T[]): T[] {
 }
 
 // URL hash helpers for shareable filter state
+const validTypes = new Set<string>(mainTypes);
+const validSubs = new Set<string>([
+  ...merchantSubTypes,
+  ...Object.keys(hostedBtcpayCountries),
+]);
+
 function parseHash(): { type: string; sub: string | null; q: string } {
   const params = new URLSearchParams(window.location.hash.slice(1));
-  return {
-    type: params.get("type") || "All",
-    sub: params.get("sub") || null,
-    q: params.get("q") || "",
-  };
+
+  const rawType = params.get("type") || "All";
+  const type = validTypes.has(rawType) ? rawType : "All";
+
+  const rawSub = params.get("sub") || null;
+  const sub = rawSub && validSubs.has(rawSub) ? rawSub : null;
+
+  const q = params.get("q") || "";
+
+  return { type, sub, q };
 }
 
 function updateHash(type: string, sub: string | null, q: string) {