yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

U4-9262 CleanForXss breaks rgba() values set as grid background color style

Browse Source
This commit is contained in:
Shannon
2016-12-20 13:27:53 +11:00
parent 0daaa3e785
commit 39505cd868
6 changed files with 22 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2-Fluid.cshtml
View File

@@ -66,7 +66,7 @@
if(cfg != null)
foreach (JProperty property in cfg.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString());
attrs.Add(property.Name + "=\"" + propertyValue + "\"");
}
@@ -76,7 +76,7 @@
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
var propertyValue = property.Value.ToString();
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
cssVals.Add(property.Name + ":" + propertyValue + ";");
@@ -84,7 +84,7 @@
}
if (cssVals.Any())
attrs.Add("style='" + string.Join(" ", cssVals) + "'");
attrs.Add("style='" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "'");
}
return new MvcHtmlString(string.Join(" ", attrs));

6
src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2.cshtml
View File

@@ -66,7 +66,7 @@
if(cfg != null)
foreach (JProperty property in cfg.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString());
attrs.Add(property.Name + "=\"" + propertyValue + "\"");
}
@@ -76,7 +76,7 @@
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
var propertyValue = property.Value.ToString();
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
cssVals.Add(property.Name + ":" + propertyValue + ";");
@@ -84,7 +84,7 @@
}
if (cssVals.Any())
attrs.Add("style=\"" + string.Join(" ", cssVals) + "\"");
attrs.Add("style=\"" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "\"");
}
return new MvcHtmlString(string.Join(" ", attrs));

6
src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3-Fluid.cshtml
View File

@@ -62,7 +62,7 @@
if(cfg != null)
foreach (JProperty property in cfg.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString());
attrs.Add(property.Name + "=\"" + propertyValue + "\"");
}
@@ -72,7 +72,7 @@
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
var propertyValue = property.Value.ToString();
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
cssVals.Add(property.Name + ":" + propertyValue + ";");
@@ -80,7 +80,7 @@
}
if (cssVals.Any())
attrs.Add("style='" + string.Join(" ", cssVals) + "'");
attrs.Add("style='" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "'");
}
return new MvcHtmlString(string.Join(" ", attrs));

8
src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3.cshtml
View File

@@ -66,17 +66,17 @@
if(cfg != null)
foreach (JProperty property in cfg.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString());
attrs.Add(property.Name + "=\"" + propertyValue + "\"");
}
JObject style = contentItem.styles;
if (style != null) {
var cssVals = new List<string>();
foreach (JProperty property in style.Properties())
{
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
var propertyValue = property.Value.ToString();
if (string.IsNullOrWhiteSpace(propertyValue) == false)
{
cssVals.Add(property.Name + ":" + propertyValue + ";");
@@ -84,7 +84,7 @@
}
if (cssVals.Any())
attrs.Add("style=\"" + string.Join(" ", cssVals) + "\"");
attrs.Add("style=\"" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "\"");
}
return new MvcHtmlString(string.Join(" ", attrs));

4
src/Umbraco.Web.UI/Views/Partials/Grid/Editors/TextString.cshtml
View File

@@ -4,9 +4,9 @@
@if (Model.editor.config.markup != null)
{
string markup = Model.editor.config.markup.ToString();
var UmbracoHelper = new UmbracoHelper(UmbracoContext.Current);
var umbracoHelper = new UmbracoHelper(UmbracoContext.Current);
markup = markup.Replace("#value#", UmbracoHelper.ReplaceLineBreaksForHtml(TemplateUtilities.CleanForXss(Model.value.ToString())));
markup = markup.Replace("#value#", umbracoHelper.ReplaceLineBreaksForHtml(HttpUtility.HtmlEncode(Model.value.ToString())));
markup = markup.Replace("#style#", Model.editor.config.style.ToString());
<text>

9
src/Umbraco.Web/Media/EmbedProviders/AbstractOEmbedProvider.cs
View File

@@ -1,8 +1,10 @@
using System.Text;
using System;
using System.Text;
using System.Xml;
using System.Collections.Generic;
using System.Net;
using System.Net.Http;
using System.Web;
using Newtonsoft.Json;
using Umbraco.Core.Media;
@@ -27,10 +29,13 @@ namespace Umbraco.Web.Media.EmbedProviders
public virtual string BuildFullUrl(string url, int maxWidth, int maxHeight)
{
if (Uri.IsWellFormedUriString(url, UriKind.RelativeOrAbsolute) == false)
throw new ArgumentException("Not a valid Url");
var fullUrl = new StringBuilder();
fullUrl.Append(APIEndpoint);
fullUrl.Append("?url=" + url);
fullUrl.Append("?url=" + HttpUtility.UrlEncode(url));
foreach (var p in RequestParams)
fullUrl.Append(string.Format("&{0}={1}", p.Key, p.Value));