Merge pull request from GHSA-gvpc-3pj6-4m9w

* Add MarkDownPropertyValueEditor with html sanitizer

* Implement IMarkdownSanitizer.

src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs

@@ -317,8 +317,9 @@ namespace Umbraco.Cms.Core.DependencyInjection
             Services.AddSingleton<ConflictingPackageData>();
             Services.AddSingleton<CompiledPackageXmlParser>();
 
-            // Register a noop IHtmlSanitizer to be replaced
+            // Register a noop IHtmlSanitizer & IMarkdownSanitizer to be replaced
             Services.AddUnique<IHtmlSanitizer, NoopHtmlSanitizer>();
+            Services.AddUnique<IMarkdownSanitizer, NoopMarkdownSanitizer>();
 
             Services.AddUnique<IPropertyTypeUsageService, PropertyTypeUsageService>();
             Services.AddUnique<IDataTypeUsageService, DataTypeUsageService>();

src/Umbraco.Core/PropertyEditors/MarkDownPropertyValueEditor.cs

@@ -0,0 +1,39 @@
+using Umbraco.Cms.Core.IO;
+using Umbraco.Cms.Core.Models.Editors;
+using Umbraco.Cms.Core.Security;
+using Umbraco.Cms.Core.Serialization;
+using Umbraco.Cms.Core.Services;
+using Umbraco.Cms.Core.Strings;
+using Umbraco.Extensions;
+
+namespace Umbraco.Cms.Core.PropertyEditors;
+
+/// <summary>
+///     A custom value editor to ensure that macro syntax is parsed when being persisted and formatted correctly for
+///     display in the editor
+/// </summary>
+internal class MarkDownPropertyValueEditor : DataValueEditor
+{
+    private readonly IMarkdownSanitizer _markdownSanitizer;
+
+    public MarkDownPropertyValueEditor(
+        ILocalizedTextService localizedTextService,
+        IShortStringHelper shortStringHelper,
+        IJsonSerializer jsonSerializer,
+        IIOHelper ioHelper,
+        DataEditorAttribute attribute,
+        IMarkdownSanitizer markdownSanitizer)
+        : base(localizedTextService, shortStringHelper, jsonSerializer, ioHelper, attribute) => _markdownSanitizer = markdownSanitizer;
+
+    public override object? FromEditor(ContentPropertyData editorValue, object? currentValue)
+    {
+        if (string.IsNullOrWhiteSpace(editorValue.Value?.ToString()))
+        {
+            return null;
+        }
+
+        var sanitized = _markdownSanitizer.Sanitize(editorValue.Value.ToString()!);
+
+        return sanitized.NullOrWhiteSpaceAsNull();
+    }
+}

src/Umbraco.Core/PropertyEditors/MarkdownPropertyEditor.cs

@@ -4,6 +4,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Umbraco.Cms.Core.DependencyInjection;
 using Umbraco.Cms.Core.IO;
+using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Services;
 
 namespace Umbraco.Cms.Core.PropertyEditors;
@@ -50,4 +51,11 @@ public class MarkdownPropertyEditor : DataEditor
     /// <inheritdoc />
     protected override IConfigurationEditor CreateConfigurationEditor() =>
         new MarkdownConfigurationEditor(_ioHelper, _editorConfigurationParser);
+
+    /// <summary>
+    ///     Create a custom value editor
+    /// </summary>
+    /// <returns></returns>
+    protected override IDataValueEditor CreateValueEditor() =>
+        DataValueEditorFactory.Create<MarkDownPropertyValueEditor>(Attribute!);
 }

src/Umbraco.Core/Security/IMarkdownSanitizer.cs

@@ -0,0 +1,14 @@
+namespace Umbraco.Cms.Core.Security;
+
+/// <summary>
+/// Sanitizer service for the markdown editor.
+/// </summary>
+public interface IMarkdownSanitizer
+{
+    /// <summary>
+    ///     Sanitizes Markdown
+    /// </summary>
+    /// <param name="markdown">Markdown to be sanitized</param>
+    /// <returns>Sanitized Markdown</returns>
+    string Sanitize(string markdown);
+}

src/Umbraco.Core/Security/NoopMarkdownSanitizer.cs

@@ -0,0 +1,8 @@
+namespace Umbraco.Cms.Core.Security;
+
+/// <inheritdoc />
+public class NoopMarkdownSanitizer : IMarkdownSanitizer
+{
+    /// <inheritdoc />
+    public string Sanitize(string markdown) => markdown;
+}