From 39505cd868b83dfb8171ea1b664a91ebee8312b7 Mon Sep 17 00:00:00 2001 From: Shannon Date: Tue, 20 Dec 2016 13:27:53 +1100 Subject: [PATCH] U4-9262 CleanForXss breaks rgba() values set as grid background color style --- .../Views/Partials/Grid/Bootstrap2-Fluid.cshtml | 6 +++--- src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2.cshtml | 6 +++--- .../Views/Partials/Grid/Bootstrap3-Fluid.cshtml | 6 +++--- src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3.cshtml | 8 ++++---- .../Views/Partials/Grid/Editors/TextString.cshtml | 4 ++-- .../Media/EmbedProviders/AbstractOEmbedProvider.cs | 9 +++++++-- 6 files changed, 22 insertions(+), 17 deletions(-) diff --git a/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2-Fluid.cshtml b/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2-Fluid.cshtml index f6b93139ce..d8e9f40e15 100644 --- a/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2-Fluid.cshtml +++ b/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2-Fluid.cshtml @@ -66,7 +66,7 @@ if(cfg != null) foreach (JProperty property in cfg.Properties()) { - var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString()); + var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString()); attrs.Add(property.Name + "=\"" + propertyValue + "\""); } @@ -76,7 +76,7 @@ var cssVals = new List(); foreach (JProperty property in style.Properties()) { - var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString()); + var propertyValue = property.Value.ToString(); if (string.IsNullOrWhiteSpace(propertyValue) == false) { cssVals.Add(property.Name + ":" + propertyValue + ";"); @@ -84,7 +84,7 @@ } if (cssVals.Any()) - attrs.Add("style='" + string.Join(" ", cssVals) + "'"); + attrs.Add("style='" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "'"); } return new MvcHtmlString(string.Join(" ", attrs)); diff --git a/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2.cshtml b/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2.cshtml index c5fabe2abf..c8f9ab7cd1 100644 --- a/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2.cshtml +++ b/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap2.cshtml @@ -66,7 +66,7 @@ if(cfg != null) foreach (JProperty property in cfg.Properties()) { - var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString()); + var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString()); attrs.Add(property.Name + "=\"" + propertyValue + "\""); } @@ -76,7 +76,7 @@ var cssVals = new List(); foreach (JProperty property in style.Properties()) { - var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString()); + var propertyValue = property.Value.ToString(); if (string.IsNullOrWhiteSpace(propertyValue) == false) { cssVals.Add(property.Name + ":" + propertyValue + ";"); @@ -84,7 +84,7 @@ } if (cssVals.Any()) - attrs.Add("style=\"" + string.Join(" ", cssVals) + "\""); + attrs.Add("style=\"" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "\""); } return new MvcHtmlString(string.Join(" ", attrs)); diff --git a/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3-Fluid.cshtml b/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3-Fluid.cshtml index b7e8ef34fb..defe59d808 100644 --- a/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3-Fluid.cshtml +++ b/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3-Fluid.cshtml @@ -62,7 +62,7 @@ if(cfg != null) foreach (JProperty property in cfg.Properties()) { - var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString()); + var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString()); attrs.Add(property.Name + "=\"" + propertyValue + "\""); } @@ -72,7 +72,7 @@ var cssVals = new List(); foreach (JProperty property in style.Properties()) { - var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString()); + var propertyValue = property.Value.ToString(); if (string.IsNullOrWhiteSpace(propertyValue) == false) { cssVals.Add(property.Name + ":" + propertyValue + ";"); @@ -80,7 +80,7 @@ } if (cssVals.Any()) - attrs.Add("style='" + string.Join(" ", cssVals) + "'"); + attrs.Add("style='" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "'"); } return new MvcHtmlString(string.Join(" ", attrs)); diff --git a/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3.cshtml b/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3.cshtml index 3a4fa3b8e2..6ab5c1355a 100644 --- a/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3.cshtml +++ b/src/Umbraco.Web.UI/Views/Partials/Grid/Bootstrap3.cshtml @@ -66,17 +66,17 @@ if(cfg != null) foreach (JProperty property in cfg.Properties()) { - var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString()); + var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString()); attrs.Add(property.Name + "=\"" + propertyValue + "\""); } - + JObject style = contentItem.styles; if (style != null) { var cssVals = new List(); foreach (JProperty property in style.Properties()) { - var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString()); + var propertyValue = property.Value.ToString(); if (string.IsNullOrWhiteSpace(propertyValue) == false) { cssVals.Add(property.Name + ":" + propertyValue + ";"); @@ -84,7 +84,7 @@ } if (cssVals.Any()) - attrs.Add("style=\"" + string.Join(" ", cssVals) + "\""); + attrs.Add("style=\"" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "\""); } return new MvcHtmlString(string.Join(" ", attrs)); diff --git a/src/Umbraco.Web.UI/Views/Partials/Grid/Editors/TextString.cshtml b/src/Umbraco.Web.UI/Views/Partials/Grid/Editors/TextString.cshtml index 5a570efdb5..8c92ca0d83 100644 --- a/src/Umbraco.Web.UI/Views/Partials/Grid/Editors/TextString.cshtml +++ b/src/Umbraco.Web.UI/Views/Partials/Grid/Editors/TextString.cshtml @@ -4,9 +4,9 @@ @if (Model.editor.config.markup != null) { string markup = Model.editor.config.markup.ToString(); - var UmbracoHelper = new UmbracoHelper(UmbracoContext.Current); + var umbracoHelper = new UmbracoHelper(UmbracoContext.Current); - markup = markup.Replace("#value#", UmbracoHelper.ReplaceLineBreaksForHtml(TemplateUtilities.CleanForXss(Model.value.ToString()))); + markup = markup.Replace("#value#", umbracoHelper.ReplaceLineBreaksForHtml(HttpUtility.HtmlEncode(Model.value.ToString()))); markup = markup.Replace("#style#", Model.editor.config.style.ToString()); diff --git a/src/Umbraco.Web/Media/EmbedProviders/AbstractOEmbedProvider.cs b/src/Umbraco.Web/Media/EmbedProviders/AbstractOEmbedProvider.cs index 51622ed504..2f8ec85075 100644 --- a/src/Umbraco.Web/Media/EmbedProviders/AbstractOEmbedProvider.cs +++ b/src/Umbraco.Web/Media/EmbedProviders/AbstractOEmbedProvider.cs @@ -1,8 +1,10 @@ -using System.Text; +using System; +using System.Text; using System.Xml; using System.Collections.Generic; using System.Net; using System.Net.Http; +using System.Web; using Newtonsoft.Json; using Umbraco.Core.Media; @@ -27,10 +29,13 @@ namespace Umbraco.Web.Media.EmbedProviders public virtual string BuildFullUrl(string url, int maxWidth, int maxHeight) { + if (Uri.IsWellFormedUriString(url, UriKind.RelativeOrAbsolute) == false) + throw new ArgumentException("Not a valid Url"); + var fullUrl = new StringBuilder(); fullUrl.Append(APIEndpoint); - fullUrl.Append("?url=" + url); + fullUrl.Append("?url=" + HttpUtility.UrlEncode(url)); foreach (var p in RequestParams) fullUrl.Append(string.Format("&{0}={1}", p.Key, p.Value));