Skip to content

Commit

Permalink
U4-9134 XSS security issue in the grid
Browse files Browse the repository at this point in the history 
exposing xss clean method on templateutilities.
making the clean xss string extensions public instead of internal.
ensuring the included grid renderers clean for xss.
ensuring the included grid editors using html.raw with value directly, cleans for xss.
  • Loading branch information
Claus committed Nov 8, 2016
1 parent a0c672e commit 8bb069e
Show file tree
Hide file tree
Showing 12 changed files with 164 additions and 118 deletions.
2 changes: 1 addition & 1 deletion src/Umbraco.Core/StringExtensions.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ internal static string ReplaceNonAlphanumericChars(this string input, char repla
/// <param name="input"></param>
/// <param name="ignoreFromClean"></param>
/// <returns></returns>
internal static string CleanForXss(this string input, params char[] ignoreFromClean)
public static string CleanForXss(this string input, params char[] ignoreFromClean)
{
//remove any html
input = input.StripHtml();
Expand Down
2 changes: 2 additions & 0 deletions src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1973,6 +1973,8 @@
<Content Include="Views\Partials\Grid\Editors\Textstring.cshtml" />
<Content Include="Views\Partials\Grid\Bootstrap2.cshtml" />
<Content Include="Views\Partials\Grid\Editors\Base.cshtml" />
<Content Include="Views\Partials\Grid\Bootstrap3-Fluid.cshtml" />
<Content Include="Views\Partials\Grid\Bootstrap2-Fluid.cshtml" />
<None Include="Web.Debug.config.transformed" />
<None Include="web.Template.Debug.config">
<DependentUpon>Web.Template.config</DependentUpon>
Expand Down
31 changes: 21 additions & 10 deletions src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2-Fluid.cshtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,21 +64,32 @@
JObject cfg = contentItem.config;

if(cfg != null)
foreach (JProperty property in cfg.Properties()) {
attrs.Add(property.Name + "='" + property.Value.ToString() + "'");
foreach (JProperty property in cfg.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
attrs.Add(property.Name + "='" + propertyValue + "'");
}
}

JObject style = contentItem.styles;

if (style != null) {
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
cssVals.Add(property.Name + ":" + property.Value.ToString() + ";");
if (style != null) {
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
cssVals.Add(property.Name + ":" + propertyValue + ";");
}
}

if (cssVals.Any())
attrs.Add("style='" + string.Join(" ", cssVals) + "'");
if (cssVals.Any())
attrs.Add("style='" + string.Join(" ", cssVals) + "'");
}

return new MvcHtmlString(string.Join(" ", attrs));
}
}
31 changes: 21 additions & 10 deletions src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2.cshtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,21 +64,32 @@
JObject cfg = contentItem.config;

if(cfg != null)
foreach (JProperty property in cfg.Properties()) {
attrs.Add(property.Name + "=\"" + property.Value.ToString() + "\"");
foreach (JProperty property in cfg.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
attrs.Add(property.Name + "=\"" + propertyValue + "\"");
}
}

JObject style = contentItem.styles;

if (style != null) {
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
cssVals.Add(property.Name + ":" + property.Value.ToString() + ";");
if (style != null) {
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
cssVals.Add(property.Name + ":" + propertyValue + ";");
}
}

if (cssVals.Any())
attrs.Add("style=\"" + string.Join(" ", cssVals) + "\"");
if (cssVals.Any())
attrs.Add("style=\"" + string.Join(" ", cssVals) + "\"");
}

return new MvcHtmlString(string.Join(" ", attrs));
}
}
32 changes: 22 additions & 10 deletions src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3-Fluid.cshtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
@*
Razor helpers located at the bottom of this file
*@

@if (Model != null && Model.sections != null)
{
var oneColumn = ((System.Collections.ICollection)Model.sections).Count == 1;
Expand Down Expand Up @@ -59,21 +60,32 @@
JObject cfg = contentItem.config;

if(cfg != null)
foreach (JProperty property in cfg.Properties()) {
attrs.Add(property.Name + "='" + property.Value.ToString() + "'");
foreach (JProperty property in cfg.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
attrs.Add(property.Name + "='" + propertyValue + "'");
}
}

JObject style = contentItem.styles;

if (style != null) {
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
cssVals.Add(property.Name + ":" + property.Value.ToString() + ";");
if (style != null) {
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
cssVals.Add(property.Name + ":" + propertyValue + ";");
}
}

if (cssVals.Any())
attrs.Add("style='" + string.Join(" ", cssVals) + "'");
if (cssVals.Any())
attrs.Add("style='" + string.Join(" ", cssVals) + "'");
}

return new MvcHtmlString(string.Join(" ", attrs));
}
}
31 changes: 21 additions & 10 deletions src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3.cshtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,21 +64,32 @@
JObject cfg = contentItem.config;

if(cfg != null)
foreach (JProperty property in cfg.Properties()) {
attrs.Add(property.Name + "=\"" + property.Value.ToString() + "\"");
foreach (JProperty property in cfg.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
attrs.Add(property.Name + "=\"" + propertyValue +"\"");
}
}

JObject style = contentItem.styles;

if (style != null) {
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
cssVals.Add(property.Name + ":" + property.Value.ToString() + ";");
if (style != null) {
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
cssVals.Add(property.Name + ":" + propertyValue + ";");
}
}

if (cssVals.Any())
attrs.Add("style=\"" + string.Join(" ", cssVals) + "\"");
if (cssVals.Any())
attrs.Add("style=\"" + string.Join(" ", cssVals) + "\"");
}

return new MvcHtmlString(string.Join(" ", attrs));
}
}
1 change: 0 additions & 1 deletion src/Umbraco.Web.UI/Views/Partials/Grid/Editors/Base.cshtml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
@model dynamic
@using Umbraco.Web.Templates

@functions {
public static string EditorView(dynamic contentItem)
Expand Down
1 change: 0 additions & 1 deletion src/Umbraco.Web.UI/Views/Partials/Grid/Editors/Embed.cshtml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
@model dynamic
@using Umbraco.Web.Templates
@Html.Raw(Model.value)
2 changes: 0 additions & 2 deletions src/Umbraco.Web.UI/Views/Partials/Grid/Editors/Macro.cshtml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
@inherits UmbracoViewPage<dynamic>
@using Umbraco.Web.Templates


@if (Model.value != null)
{
Expand Down
1 change: 0 additions & 1 deletion src/Umbraco.Web.UI/Views/Partials/Grid/Editors/Media.cshtml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
@model dynamic
@using Umbraco.Web.Templates

@if (Model.value != null)
{
Expand Down
5 changes: 2 additions & 3 deletions src/Umbraco.Web.UI/Views/Partials/Grid/Editors/TextString.cshtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,9 @@
@if (Model.editor.config.markup != null)
{
string markup = Model.editor.config.markup.ToString();

var UmbracoHelper = new UmbracoHelper(UmbracoContext.Current);

markup = markup.Replace("#value#", UmbracoHelper.ReplaceLineBreaksForHtml(Model.value.ToString()));
markup = markup.Replace("#value#", UmbracoHelper.ReplaceLineBreaksForHtml(TemplateUtilities.CleanForXss(Model.value.ToString())));
markup = markup.Replace("#style#", Model.editor.config.style.ToString());

<text>
Expand All @@ -17,6 +16,6 @@
else
{
<text>
<div style="@Model.editor.config.style">@Model.value</div>
<div style="@Model.editor.config.style">@TemplateUtilities.CleanForXss(Model.value.ToString())</div>
</text>
}
Loading

0 comments on commit 8bb069e

Please sign in to comment.