Cross-site Scripting in btcpayserver/btcpayserver

An attacker who can inject a malicious script into a BTCPayServer page (e.g., via a stored XSS in the Crowdfund description field) would previously have been able to execute arbitrary JavaScript because the default Content Security Policy included `'unsafe-eval'`, which allows `eval()` and similar dynamic code execution. The CSP directive `script-src 'self' 'unsafe-eval'` [ref_id=1] meant that even if the attacker's payload was loaded from the same origin, they could use `eval()` to bypass other restrictions. The vulnerability is triggered by an attacker supplying crafted input that is later rendered in a page that still has `'unsafe-eval'` enabled (such as the Crowdfund public page, which calls `Csp.UnsafeEval()` [ref_id=1]).

The patch modifies `BTCPayServer/Security/ContentSecurityPolicy.cs` (the `ContentSecurityPolicyAttribute` constructor) and `BTCPayServer.Abstractions/Security/ContentSecurityPolicy.cs` (adding the `UnsafeEval()` method). Several Razor views are also changed: the Crowdfund public view, the Crowdfund update page, the Pay Button page, the Point of Sale public layout and update page, and the main menu layout. The core change is removing `'unsafe-eval'` from the default `script-src` CSP directive and instead conditionally adding it only on pages that require Vue.js.

The patch removes `'unsafe-eval'` from the default `script-src` CSP directive in `ContentSecurityPolicyAttribute` [ref_id=1], changing it from `"'self' 'unsafe-eval'"` to `"'self'"`. A new `UnsafeEval()` method is added to `ContentSecurityPolicy` so that pages which genuinely need Vue.js (Crowdfund public view, Crowdfund update, Pay Button, Point of Sale pages) can opt-in to `'unsafe-eval'` [ref_id=1]. Additionally, the Crowdfund public view removes the `@Safe.Raw(Model.Description)` server-rendered description (which could introduce XSS) and relies solely on the client-side Vue binding `v-html="srvModel.description"`. The `v-pre` attribute is added to several static HTML elements to prevent Vue from processing them, reducing the attack surface.