Skip to content
Permalink
Browse files

Added sanitization on comments and posts.

  • Loading branch information...
Horndev committed Apr 3, 2019
1 parent eab8c10 commit 8766f5404aa4618febe29faa7fa6fd889f70a0ef
@@ -392,12 +392,16 @@ public async Task<ActionResult> LoadMoreComments(int postId, int? commentId, int

private static Comment CreateComment(NewComment c, User user, Post post, Comment parent)
{
// Sanitize for XSS
string commentText = c.CommentContent;
string sanitizedComment = SanitizeCommentXSS(commentText);

return new Comment()
{
Parent = parent,
IsReply = c.IsReply,
UserId = user,
Text = c.CommentContent,
Text = sanitizedComment,
TimeStamp = DateTime.UtcNow,
Post = post,
Score = 0,
@@ -408,6 +412,21 @@ private static Comment CreateComment(NewComment c, User user, Post post, Comment
};
}

private static string SanitizeCommentXSS(string commentText)
{
var sanitizer = new Ganss.XSS.HtmlSanitizer(
allowedCssProperties: new[] { "color", "display", "text-align", "font-size", "margin-right", "width" },
allowedCssClasses: new[] { "badge", "badge-info", "userhint", "blockquote", "img-fluid" });

sanitizer.AllowedTags.Remove("button");

sanitizer.AllowedAttributes.Add("class");
sanitizer.AllowedAttributes.Remove("id");

var sanitizedComment = sanitizer.Sanitize(commentText);
return sanitizedComment;
}

private async Task NotifyUserMentioned(ZapContext db, User user, Post post, Comment comment, HtmlNode s)
{
if (s.Attributes.Count(a => a.Name == "class") > 0)
@@ -263,6 +263,21 @@ private async Task EnsureUserExists(string userId, ZapContext db)
}
}

private static string SanitizePostXSS(string postText)
{
var sanitizer = new Ganss.XSS.HtmlSanitizer();
sanitizer.AllowedTags.Remove("button");
sanitizer.AllowedTags.Add("iframe");
sanitizer.AllowedAttributes.Add("class");
sanitizer.AllowedAttributes.Add("frameborder");
sanitizer.AllowedAttributes.Add("allowfullscreen");
sanitizer.AllowedAttributes.Add("seamless");
sanitizer.AllowedAttributes.Remove("id");

var sanitizedComment = sanitizer.Sanitize(postText);
return sanitizedComment;
}

[HttpPost]
public async Task<JsonResult> SubmitNewPost(NewPostMsg p)
{
@@ -293,7 +308,7 @@ public async Task<JsonResult> SubmitNewPost(NewPostMsg p)
}
}
}
string contentStr = postDocument.DocumentNode.OuterHtml;
string contentStr = SanitizePostXSS(postDocument.DocumentNode.OuterHtml);

var postGroup = db.Groups.FirstOrDefault(g => g.GroupId == p.GroupId);

@@ -323,6 +323,10 @@
<assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.0.3.1" newVersion="4.0.3.1" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="HtmlAgilityPack" publicKeyToken="bd319b19eaf3b43a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-1.8.2.0" newVersion="1.8.2.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<entityFramework>
@@ -7,6 +7,7 @@
<package id="Hangfire.Core" version="1.6.22" targetFramework="net461" />
<package id="Hangfire.SqlServer" version="1.6.22" targetFramework="net461" />
<package id="HtmlAgilityPack" version="1.8.2" targetFramework="net461" />
<package id="HtmlSanitizer" version="4.0.210" targetFramework="net461" />
<package id="Jdenticon-net" version="2.1.0" targetFramework="net461" />
<package id="jQuery" version="1.10.2" targetFramework="net461" />
<package id="jQuery.Validation" version="1.11.1" targetFramework="net461" />
@@ -66,6 +66,9 @@
<Reference Include="HtmlAgilityPack, Version=1.8.2.0, Culture=neutral, PublicKeyToken=bd319b19eaf3b43a, processorArchitecture=MSIL">
<HintPath>..\packages\HtmlAgilityPack.1.8.2\lib\Net45\HtmlAgilityPack.dll</HintPath>
</Reference>
<Reference Include="HtmlSanitizer, Version=4.0.0.0, Culture=neutral, PublicKeyToken=61c49a1a9e79cc28, processorArchitecture=MSIL">
<HintPath>..\packages\HtmlSanitizer.4.0.210\lib\net45\HtmlSanitizer.dll</HintPath>
</Reference>
<Reference Include="Jdenticon, Version=2.1.0.0, Culture=neutral, PublicKeyToken=3fcf9f6e3475a4f8, processorArchitecture=MSIL">
<HintPath>..\packages\Jdenticon-net.2.1.0\lib\net45\Jdenticon.dll</HintPath>
</Reference>

0 comments on commit 8766f54

Please sign in to comment.
You can’t perform that action at this time.