Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensures tag values are Html encoded both on the client side and on th… #1639

Merged
merged 2 commits into from Dec 5, 2016
Merged

Ensures tag values are Html encoded both on the client side and on th… #1639

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
90f30c3
Ensures tag values are Html encoded both on the client side and on th…
Shazwazza Dec 5, 2016
4823235
Ensures the cleaned value isn't double html encoded
Shazwazza Dec 5, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 16 additions & 0 deletions src/Umbraco.Web.UI.Client/lib/umbraco/Extensions.js
View file
Open in desktop
Expand Up @@ -69,6 +69,22 @@
};
}

if (!String.prototype.htmlEncode) {
/** htmlEncode extension method for string */
String.prototype.htmlEncode = function () {
//create a in-memory div, set it's inner text(which jQuery automatically encodes)
//then grab the encoded contents back out. The div never exists on the page.
return $('<div/>').text(this).html();
};
}

if (!String.prototype.htmlDecode) {
/** htmlDecode extension method for string */
String.prototype.htmlDecode = function () {
return $('<div/>').html(this).text();
};
}

if (!String.prototype.startsWith) {
/** startsWith extension method for string */
String.prototype.startsWith = function (str) {
Expand Down
2 changes: 1 addition & 1 deletion src/Umbraco.Web.UI.Client/src/views/propertyeditors/tags/tags.controller.js
View file
Open in desktop
Expand Up @@ -41,7 +41,7 @@ angular.module("umbraco")

//Helper method to add a tag on enter or on typeahead select
function addTag(tagToAdd) {
tagToAdd = $sanitize(tagToAdd);
tagToAdd = String(tagToAdd).htmlEncode();
if (tagToAdd != null && tagToAdd.length > 0) {
if ($scope.model.value.indexOf(tagToAdd) < 0) {
$scope.model.value.push(tagToAdd);
Expand Down
10 changes: 9 additions & 1 deletion src/Umbraco.Web/PropertyEditors/TagsPropertyEditor.cs
View file
Open in desktop
@@ -1,6 +1,7 @@
using System.Collections.Generic;
using System.ComponentModel.DataAnnotations;
using System.Linq;
using System.Net;
using System.Runtime.InteropServices;
using Newtonsoft.Json.Linq;
using Umbraco.Core;
Expand Down Expand Up @@ -60,7 +61,14 @@ public TagPropertyValueEditor(PropertyValueEditor wrapped)
public override object ConvertEditorToDb(ContentPropertyData editorValue, object currentValue)
{
var json = editorValue.Value as JArray;
return json == null ? null : json.Select(x => x.Value<string>());
return json == null
? null
: json.Select(x => x.Value<string>()).Where(x => x.IsNullOrWhiteSpace() == false)
//First we will decode it as html because we know that if this is not a malicious post that the value is
// already Html encoded by the tags JavaScript controller. Then we'll re-Html Encode it to ensure that in case this
// is a malicious post (i.e. someone is submitting data manually by modifying the request).
.Select(WebUtility.HtmlDecode)
.Select(WebUtility.HtmlEncode);
}

/// <summary>
Expand Down