Removing malicious code from the name of a Stylesheet.

src/Umbraco.Core/StringExtensions.cs

@@ -190,7 +190,7 @@ namespace Umbraco.Core
             return new string(outputArray);
         }
 
-        private static readonly char[] CleanForXssChars = "*?(){}[];:%<>/\\|&'\"".ToCharArray();
+        private static readonly char[] CleanForXssChars = "*?(){}[];:%<>/\\|&'+\"".ToCharArray();
 
         /// <summary>
         /// Cleans string to aid in preventing xss attacks.
@@ -541,7 +541,7 @@ namespace Umbraco.Core
         /// <returns>Returns the string without any html tags.</returns>
         public static string StripHtml(this string text)
         {
-            const string pattern = @"<(.|\n)*?>";
+            string pattern = "[*{}\\/:<>?|\"-+()\\n]";
             return Regex.Replace(text, pattern, String.Empty);
         }
 

src/Umbraco.Web/UI/LegacyDialogHandler.cs

@@ -207,7 +207,7 @@ namespace Umbraco.Web.UI
 
             typeInstance.TypeID = typeId;
             typeInstance.ParentID = nodeId;
-            typeInstance.Alias = text;
+            typeInstance.Alias = text.CleanForXss();
 
             // check for returning url
             ITaskReturnUrl returnUrlTask = typeInstance as LegacyDialogTask;

src/Umbraco.Web/WebServices/SaveFileController.cs

@@ -243,7 +243,7 @@ namespace Umbraco.Web.WebServices
             // sanitize input - stylesheet names have no extension
             var svce = (FileService)Services.FileService;
 
-            filename = CleanFilename(filename);
+            filename = CleanFilename(filename.CleanForXss());
             oldName = CleanFilename(oldName);
 
             if (filename != oldName)