U4-9262 CleanForXss breaks rgba() values set as grid background color style
This commit is contained in:
Shannon
@@ -66,7 +66,7 @@
|
||||
if(cfg != null)
|
||||
foreach (JProperty property in cfg.Properties())
|
||||
{
|
||||
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
|
||||
var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString());
|
||||
attrs.Add(property.Name + "=\"" + propertyValue + "\"");
|
||||
}
|
||||
|
||||
@@ -76,7 +76,7 @@
|
||||
var cssVals = new List<string>();
|
||||
foreach (JProperty property in style.Properties())
|
||||
{
|
||||
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
|
||||
var propertyValue = property.Value.ToString();
|
||||
if (string.IsNullOrWhiteSpace(propertyValue) == false)
|
||||
{
|
||||
cssVals.Add(property.Name + ":" + propertyValue + ";");
|
||||
@@ -84,7 +84,7 @@
|
||||
}
|
||||
|
||||
if (cssVals.Any())
|
||||
attrs.Add("style='" + string.Join(" ", cssVals) + "'");
|
||||
attrs.Add("style='" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "'");
|
||||
}
|
||||
|
||||
return new MvcHtmlString(string.Join(" ", attrs));
|
||||
|
||||
@@ -66,7 +66,7 @@
|
||||
if(cfg != null)
|
||||
foreach (JProperty property in cfg.Properties())
|
||||
{
|
||||
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
|
||||
var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString());
|
||||
attrs.Add(property.Name + "=\"" + propertyValue + "\"");
|
||||
}
|
||||
|
||||
@@ -76,7 +76,7 @@
|
||||
var cssVals = new List<string>();
|
||||
foreach (JProperty property in style.Properties())
|
||||
{
|
||||
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
|
||||
var propertyValue = property.Value.ToString();
|
||||
if (string.IsNullOrWhiteSpace(propertyValue) == false)
|
||||
{
|
||||
cssVals.Add(property.Name + ":" + propertyValue + ";");
|
||||
@@ -84,7 +84,7 @@
|
||||
}
|
||||
|
||||
if (cssVals.Any())
|
||||
attrs.Add("style=\"" + string.Join(" ", cssVals) + "\"");
|
||||
attrs.Add("style=\"" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "\"");
|
||||
}
|
||||
|
||||
return new MvcHtmlString(string.Join(" ", attrs));
|
||||
|
||||
@@ -62,7 +62,7 @@
|
||||
if(cfg != null)
|
||||
foreach (JProperty property in cfg.Properties())
|
||||
{
|
||||
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
|
||||
var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString());
|
||||
attrs.Add(property.Name + "=\"" + propertyValue + "\"");
|
||||
}
|
||||
|
||||
@@ -72,7 +72,7 @@
|
||||
var cssVals = new List<string>();
|
||||
foreach (JProperty property in style.Properties())
|
||||
{
|
||||
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
|
||||
var propertyValue = property.Value.ToString();
|
||||
if (string.IsNullOrWhiteSpace(propertyValue) == false)
|
||||
{
|
||||
cssVals.Add(property.Name + ":" + propertyValue + ";");
|
||||
@@ -80,7 +80,7 @@
|
||||
}
|
||||
|
||||
if (cssVals.Any())
|
||||
attrs.Add("style='" + string.Join(" ", cssVals) + "'");
|
||||
attrs.Add("style='" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "'");
|
||||
}
|
||||
|
||||
return new MvcHtmlString(string.Join(" ", attrs));
|
||||
|
||||
@@ -66,17 +66,17 @@
|
||||
if(cfg != null)
|
||||
foreach (JProperty property in cfg.Properties())
|
||||
{
|
||||
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
|
||||
var propertyValue = HttpUtility.HtmlAttributeEncode(property.Value.ToString());
|
||||
attrs.Add(property.Name + "=\"" + propertyValue + "\"");
|
||||
}
|
||||
|
||||
|
||||
JObject style = contentItem.styles;
|
||||
|
||||
if (style != null) {
|
||||
var cssVals = new List<string>();
|
||||
foreach (JProperty property in style.Properties())
|
||||
{
|
||||
var propertyValue = TemplateUtilities.CleanForXss(property.Value.ToString());
|
||||
var propertyValue = property.Value.ToString();
|
||||
if (string.IsNullOrWhiteSpace(propertyValue) == false)
|
||||
{
|
||||
cssVals.Add(property.Name + ":" + propertyValue + ";");
|
||||
@@ -84,7 +84,7 @@
|
||||
}
|
||||
|
||||
if (cssVals.Any())
|
||||
attrs.Add("style=\"" + string.Join(" ", cssVals) + "\"");
|
||||
attrs.Add("style=\"" + HttpUtility.HtmlAttributeEncode(string.Join(" ", cssVals)) + "\"");
|
||||
}
|
||||
|
||||
return new MvcHtmlString(string.Join(" ", attrs));
|
||||
|
||||
@@ -4,9 +4,9 @@
|
||||
@if (Model.editor.config.markup != null)
|
||||
{
|
||||
string markup = Model.editor.config.markup.ToString();
|
||||
var UmbracoHelper = new UmbracoHelper(UmbracoContext.Current);
|
||||
var umbracoHelper = new UmbracoHelper(UmbracoContext.Current);
|
||||
|
||||
markup = markup.Replace("#value#", UmbracoHelper.ReplaceLineBreaksForHtml(TemplateUtilities.CleanForXss(Model.value.ToString())));
|
||||
markup = markup.Replace("#value#", umbracoHelper.ReplaceLineBreaksForHtml(HttpUtility.HtmlEncode(Model.value.ToString())));
|
||||
markup = markup.Replace("#style#", Model.editor.config.style.ToString());
|
||||
|
||||
<text>
|
||||
|
||||
Reference in New Issue
Block a user