From 1b712fe6ec52aa4e71b3acf63e393c8e6ab85385 Mon Sep 17 00:00:00 2001
From: Nikolaj Geisle <70372949+Zeegaan@users.noreply.github.com>
Date: Tue, 6 Feb 2024 09:53:40 +0100
Subject: [PATCH] Merge pull request from GHSA-gvpc-3pj6-4m9w

* Add MarkDownPropertyValueEditor with html sanitizer

* Implement IMarkdownSanitizer.
---
 .../DependencyInjection/UmbracoBuilder.cs     |  3 +-
 .../MarkDownPropertyValueEditor.cs            | 39 +++++++++++++++++++
 .../PropertyEditors/MarkdownPropertyEditor.cs |  8 ++++
 .../Security/IMarkdownSanitizer.cs            | 14 +++++++
 .../Security/NoopMarkdownSanitizer.cs         |  8 ++++
 5 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 src/Umbraco.Core/PropertyEditors/MarkDownPropertyValueEditor.cs
 create mode 100644 src/Umbraco.Core/Security/IMarkdownSanitizer.cs
 create mode 100644 src/Umbraco.Core/Security/NoopMarkdownSanitizer.cs

diff --git a/src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs b/src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs
index 098f770ebc..cf44114c19 100644
--- a/src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs
+++ b/src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs
@@ -317,8 +317,9 @@ namespace Umbraco.Cms.Core.DependencyInjection
             Services.AddSingleton<ConflictingPackageData>();
             Services.AddSingleton<CompiledPackageXmlParser>();
 
-            // Register a noop IHtmlSanitizer to be replaced
+            // Register a noop IHtmlSanitizer & IMarkdownSanitizer to be replaced
             Services.AddUnique<IHtmlSanitizer, NoopHtmlSanitizer>();
+            Services.AddUnique<IMarkdownSanitizer, NoopMarkdownSanitizer>();
 
             Services.AddUnique<IPropertyTypeUsageService, PropertyTypeUsageService>();
             Services.AddUnique<IDataTypeUsageService, DataTypeUsageService>();
diff --git a/src/Umbraco.Core/PropertyEditors/MarkDownPropertyValueEditor.cs b/src/Umbraco.Core/PropertyEditors/MarkDownPropertyValueEditor.cs
new file mode 100644
index 0000000000..637a971d68
--- /dev/null
+++ b/src/Umbraco.Core/PropertyEditors/MarkDownPropertyValueEditor.cs
@@ -0,0 +1,39 @@
+using Umbraco.Cms.Core.IO;
+using Umbraco.Cms.Core.Models.Editors;
+using Umbraco.Cms.Core.Security;
+using Umbraco.Cms.Core.Serialization;
+using Umbraco.Cms.Core.Services;
+using Umbraco.Cms.Core.Strings;
+using Umbraco.Extensions;
+
+namespace Umbraco.Cms.Core.PropertyEditors;
+
+/// <summary>
+///     A custom value editor to ensure that macro syntax is parsed when being persisted and formatted correctly for
+///     display in the editor
+/// </summary>
+internal class MarkDownPropertyValueEditor : DataValueEditor
+{
+    private readonly IMarkdownSanitizer _markdownSanitizer;
+
+    public MarkDownPropertyValueEditor(
+        ILocalizedTextService localizedTextService,
+        IShortStringHelper shortStringHelper,
+        IJsonSerializer jsonSerializer,
+        IIOHelper ioHelper,
+        DataEditorAttribute attribute,
+        IMarkdownSanitizer markdownSanitizer)
+        : base(localizedTextService, shortStringHelper, jsonSerializer, ioHelper, attribute) => _markdownSanitizer = markdownSanitizer;
+
+    public override object? FromEditor(ContentPropertyData editorValue, object? currentValue)
+    {
+        if (string.IsNullOrWhiteSpace(editorValue.Value?.ToString()))
+        {
+            return null;
+        }
+
+        var sanitized = _markdownSanitizer.Sanitize(editorValue.Value.ToString()!);
+
+        return sanitized.NullOrWhiteSpaceAsNull();
+    }
+}
diff --git a/src/Umbraco.Core/PropertyEditors/MarkdownPropertyEditor.cs b/src/Umbraco.Core/PropertyEditors/MarkdownPropertyEditor.cs
index 8b1b181c8c..531262f0b2 100644
--- a/src/Umbraco.Core/PropertyEditors/MarkdownPropertyEditor.cs
+++ b/src/Umbraco.Core/PropertyEditors/MarkdownPropertyEditor.cs
@@ -4,6 +4,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Umbraco.Cms.Core.DependencyInjection;
 using Umbraco.Cms.Core.IO;
+using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Services;
 
 namespace Umbraco.Cms.Core.PropertyEditors;
@@ -50,4 +51,11 @@ public class MarkdownPropertyEditor : DataEditor
     /// <inheritdoc />
     protected override IConfigurationEditor CreateConfigurationEditor() =>
         new MarkdownConfigurationEditor(_ioHelper, _editorConfigurationParser);
+
+    /// <summary>
+    ///     Create a custom value editor
+    /// </summary>
+    /// <returns></returns>
+    protected override IDataValueEditor CreateValueEditor() =>
+        DataValueEditorFactory.Create<MarkDownPropertyValueEditor>(Attribute!);
 }
diff --git a/src/Umbraco.Core/Security/IMarkdownSanitizer.cs b/src/Umbraco.Core/Security/IMarkdownSanitizer.cs
new file mode 100644
index 0000000000..ed1fed2a2c
--- /dev/null
+++ b/src/Umbraco.Core/Security/IMarkdownSanitizer.cs
@@ -0,0 +1,14 @@
+namespace Umbraco.Cms.Core.Security;
+
+/// <summary>
+/// Sanitizer service for the markdown editor.
+/// </summary>
+public interface IMarkdownSanitizer
+{
+    /// <summary>
+    ///     Sanitizes Markdown
+    /// </summary>
+    /// <param name="markdown">Markdown to be sanitized</param>
+    /// <returns>Sanitized Markdown</returns>
+    string Sanitize(string markdown);
+}
diff --git a/src/Umbraco.Core/Security/NoopMarkdownSanitizer.cs b/src/Umbraco.Core/Security/NoopMarkdownSanitizer.cs
new file mode 100644
index 0000000000..3da03b0e63
--- /dev/null
+++ b/src/Umbraco.Core/Security/NoopMarkdownSanitizer.cs
@@ -0,0 +1,8 @@
+namespace Umbraco.Cms.Core.Security;
+
+/// <inheritdoc />
+public class NoopMarkdownSanitizer : IMarkdownSanitizer
+{
+    /// <inheritdoc />
+    public string Sanitize(string markdown) => markdown;
+}