Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
- Improved Return URL sanitization for double-encoded values.
  • Loading branch information
shauncummings committed May 18, 2022
1 parent 5510037 commit 2d55a2f
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 4 deletions.
32 changes: 29 additions & 3 deletions Rock.Common/ExtensionMethods/StringExtensions.cs
Expand Up @@ -19,6 +19,7 @@
using System.ComponentModel;
using System.Globalization;
using System.Linq;
using System.Net;
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
Expand Down Expand Up @@ -144,14 +145,39 @@ public static string ScrubEncodedStringForXSSObjects( this string encodedString
// Characters used by DOM Objects; javascript, document, window and URLs
char[] badCharacters = new char[] { '<', '>', ':', '*' };

if ( encodedString.IndexOfAny( badCharacters ) >= 0 )
var decodedString = encodedString.GetFullyUrlDecodedValue();

if ( decodedString.IndexOfAny( badCharacters ) >= 0 )
{
return "%2f";
}
else

return encodedString;
}

/// <summary>
/// Gets a fully URL-decoded string (or returns string.Empty if it cannot be decoded within 10 attempts).
/// </summary>
/// <param name="encodedString"></param>
/// <returns></returns>
public static string GetFullyUrlDecodedValue( this string encodedString )
{
int loopCount = 0;
var decodedString = encodedString;
var testString = WebUtility.UrlDecode( encodedString );
while ( testString != decodedString )
{
return encodedString;
loopCount++;
if ( loopCount >= 10 )
{
return string.Empty;
}

decodedString = testString;
testString = WebUtility.UrlDecode( testString );
}

return decodedString;
}

/// <summary>
Expand Down
4 changes: 3 additions & 1 deletion Rock/Utility/ExtensionMethods/Obsolete/StringExtensions.cs
Expand Up @@ -162,7 +162,9 @@ public static string ScrubEncodedStringForXSSObjects( string encodedString )
// Characters used by DOM Objects; javascript, document, window and URLs
char[] badCharacters = new char[] { '<', '>', ':', '*' };

if ( encodedString.IndexOfAny( badCharacters ) >= 0 )
var decodedString = encodedString.GetFullyUrlDecodedValue();

if ( decodedString.IndexOfAny( badCharacters ) >= 0 )
{
return "%2f";
}
Expand Down

0 comments on commit 2d55a2f

Please sign in to comment.