yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/6.2.0' into 7.0.1

Browse Source 
Conflicts:
	src/Umbraco.Web.UI/umbraco/LiveEditing/Modules/SkinModule/ModuleInjector.aspx
	src/Umbraco.Web.UI/umbraco/Umbraco.aspx.cs
	src/Umbraco.Web/umbraco.presentation/umbraco/LiveEditing/Modules/SkinModule/ImageUploader.aspx.cs
	src/Umbraco.Web/umbraco.presentation/umbraco/dashboard.aspx.cs
	src/Umbraco.Web/umbraco.presentation/umbraco/developer/Cache/viewCacheItem.aspx.cs
	src/Umbraco.Web/umbraco.presentation/umbraco/developer/Macros/assemblyBrowser.aspx.cs
This commit is contained in:
Shannon
2013-12-04 13:50:55 +11:00
parent cb13b4a0e0 33aa4e2062
commit 5b7e9c712e
13 changed files with 36 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/Umbraco.Core/StringExtensions.cs
View File

@@ -63,6 +63,19 @@ namespace Umbraco.Core
return mName;
}
/// <summary>
/// Cleans string to aid in preventing xss attacks.
/// </summary>
/// <param name="input"></param>
/// <returns></returns>
internal static string CleanForXss(this string input)
{
//remove any html
input = input.StripHtml();
//strip out any potential chars involved with XSS
return input.ExceptChars(new HashSet<char>("*?(){}[];:%<>/\\|&'\"".ToCharArray()));
}
public static string ExceptChars(this string str, HashSet<char> toExclude)
{
var sb = new StringBuilder(str.Length);

2
src/Umbraco.Web.UI/umbraco/developer/Xslt/xsltChooseExtension.aspx
View File

@@ -14,7 +14,7 @@
result = result.substring(0, result.length - 2);
result = result + ")";
document.location = 'xsltInsertValueOf.aspx?objectId=<%=Request.GetCleanedItem("objectId")%>&value=' + result;
document.location = 'xsltInsertValueOf.aspx?objectId=<%=Request.CleanForXss("objectId")%>&value=' + result;
}
</script>

4
src/Umbraco.Web.UI/umbraco/developer/Xslt/xsltInsertValueOf.aspx
View File

@@ -14,13 +14,13 @@
result = '<xsl:value-of select="' + document.getElementById('<%= valueOf.ClientID %>').value + '"' + checked + '/>';
UmbClientMgr.contentFrame().focus();
UmbClientMgr.contentFrame().UmbEditor.Insert(result, '', '<%=Request.GetCleanedItem("objectId")%>');
UmbClientMgr.contentFrame().UmbEditor.Insert(result, '', '<%=Request.CleanForXss("objectId")%>');
UmbClientMgr.closeModalWindow();
}
function getExtensionMethod() {
document.location = 'xsltChooseExtension.aspx?objectId=<%=Request.GetCleanedItem("objectId")%>';
document.location = 'xsltChooseExtension.aspx?objectId=<%=Request.CleanForXss("objectId")%>';
}
function recieveExtensionMethod(theValue) {

4
src/Umbraco.Web.UI/umbraco/dialogs/create.aspx
View File

@@ -34,14 +34,14 @@
}
function onNodeSelectionConfirmed() {
document.location.href = 'create.aspx?nodeType=<%=Request.GetCleanedItem("nodeType")%>&app=<%=App%>&nodeId=' + document.getElementById('nodeId').value
document.location.href = 'create.aspx?nodeType=<%=Request.CleanForXss("nodeType")%>&app=<%=App%>&nodeId=' + document.getElementById('nodeId').value
}
</script>
</asp:Content>
<asp:Content ContentPlaceHolderID="body" runat="server">
<input type="hidden" id="nodeId" name="nodeId" value="<%=Request.GetCleanedItem("nodeId")%>" />
<input type="hidden" id="nodeId" name="nodeId" value="<%=Request.CleanForXss("nodeId")%>" />
<input type="hidden" id="path" name="path" value="" runat="server" />
<cc1:Pane ID="pane_chooseNode" runat="server" Style="overflow: auto; height: 250px;">
<umbraco:TreeControl runat="server" ID="JTree" App='<%#App %>'

4
src/Umbraco.Web.UI/umbraco/dialogs/insertMacro.aspx
View File

@@ -73,8 +73,8 @@
<%if (Request["macroID"] != null || Request["macroAlias"] != null) {%>
<input type="hidden" name="macroID" value="<%=Request.GetCleanedItem("macroID")%>" />
<input type="hidden" name="macroAlias" value="<%=Request.GetCleanedItem("macroAlias")%>" />
<input type="hidden" name="macroID" value="<%=Request.CleanForXss("macroID")%>" />
<input type="hidden" name="macroAlias" value="<%=Request.CleanForXss("macroAlias")%>" />
<div class="macroProperties">
<cc1:Pane id="pane_edit" runat="server">

6
src/Umbraco.Web.UI/umbraco/dialogs/moveOrCopy.aspx
View File

@@ -16,9 +16,9 @@
if (id > 0)
umbraco.presentation.webservices.CMSNode.GetNodeName('<%=umbracoUserContextID%>', id, updateName);
else{
//document.getElementById("pageNameContent").innerHTML = "'<strong><%=umbraco.ui.Text(Request.GetCleanedItem("app"))%></strong>' <%= umbraco.ui.Text("moveOrCopy","nodeSelected") %>";
//document.getElementById("pageNameContent").innerHTML = "'<strong><%=umbraco.ui.Text(Request.CleanForXss("app"))%></strong>' <%= umbraco.ui.Text("moveOrCopy","nodeSelected") %>";
jQuery("#pageNameContent").html("<strong><%=umbraco.ui.Text(Request.GetCleanedItem("app"))%></strong> <%= umbraco.ui.Text("moveOrCopy","nodeSelected") %>");
jQuery("#pageNameContent").html("<strong><%=umbraco.ui.Text(Request.CleanForXss("app"))%></strong> <%= umbraco.ui.Text("moveOrCopy","nodeSelected") %>");
jQuery("#pageNameHolder").attr("class","success");
}
}
@@ -59,7 +59,7 @@
<cc1:Feedback ID="feedback" runat="server" />
<cc1:Pane ID="pane_form" runat="server" Visible="false">
<cc1:PropertyPanel runat="server" Style="overflow: auto; height: 220px;position: relative;">
<umbraco:TreeControl runat="server" ID="JTree" App='<%#Request.GetCleanedItem("app") %>'
<umbraco:TreeControl runat="server" ID="JTree" App='<%#Request.CleanForXss("app") %>'
IsDialog="true" DialogMode="id" ShowContextMenu="false" FunctionToCall="dialogHandler"
Height="200"></umbraco:TreeControl>
</cc1:PropertyPanel>

4
src/Umbraco.Web.UI/umbraco/dialogs/sort.aspx
View File

@@ -72,8 +72,8 @@
submitButton: jQuery("#submitButton"),
closeWindowButton: jQuery("#closeWindowButton"),
dateTimeFormat: "<%=CultureInfo.CurrentCulture.DateTimeFormat.ShortDatePattern%> <%=CultureInfo.CurrentCulture.DateTimeFormat.ShortTimePattern%>",
currentId: "<%=Request.GetCleanedItem("ID")%>",
serviceUrl: "<%= IOHelper.ResolveUrl(SystemDirectories.Umbraco)%>/WebServices/NodeSorter.asmx/UpdateSortOrder?app=<%=Request.GetCleanedItem("app")%>"
currentId: "<%=Request.CleanForXss("ID")%>",
serviceUrl: "<%= IOHelper.ResolveUrl(SystemDirectories.Umbraco)%>/WebServices/NodeSorter.asmx/UpdateSortOrder?app=<%=Request.CleanForXss("app")%>"
});
sortDialog.init();

2
src/Umbraco.Web.UI/umbraco/dialogs/umbracoField.aspx
View File

@@ -14,7 +14,7 @@
submitButton: $("#submitButton"),
form: document.forms[0],
tagName: document.forms[0].<%= tagName.ClientID %>.value,
objectId: '<%=Request.GetCleanedItem("objectId")%>'
objectId: '<%=Request.CleanForXss("objectId")%>'
});
umbracoField.init();
});

4
src/Umbraco.Web.UI/umbraco/plugins/tinymce3/insertMacro.aspx
View File

@@ -106,8 +106,8 @@
<input type="hidden" name="macroMode" value="<%=Request["mode"]%>" />
<%if (Request["umb_macroID"] != null || Request["umb_macroAlias"] != null)
{%>
<input type="hidden" name="umb_macroID" value="<%=Request.GetCleanedItem("umb_macroID")%>" />
<input type="hidden" name="umb_macroAlias" value="<%=Request.GetCleanedItem("umb_macroAlias")%>" />
<input type="hidden" name="umb_macroID" value="<%=Request.CleanForXss("umb_macroID")%>" />
<input type="hidden" name="umb_macroAlias" value="<%=Request.CleanForXss("umb_macroAlias")%>" />
<% }%>
<ui:Pane ID="pane_edit" runat="server" Visible="false">
<div class="macroPane">

7
src/Umbraco.Web/HttpRequestExtensions.cs
View File

@@ -17,13 +17,10 @@ namespace Umbraco.Web
/// <param name="request"></param>
/// <param name="key"></param>
/// <returns></returns>
public static string GetCleanedItem(this HttpRequest request, string key)
public static string CleanForXss(this HttpRequest request, string key)
{
var item = request.GetItemAsString(key);
//remove any html
item = item.StripHtml();
//strip out any potential chars involved with XSS
return item.ExceptChars(new HashSet<char>("(){}[];:%<>/\\|&'\"".ToCharArray()));
return item.CleanForXss();
}
/// <summary>

5
src/Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs
View File

@@ -1,4 +1,5 @@
using Umbraco.Core.Logging;
using Umbraco.Web;
namespace dashboardUtilities
{
@@ -32,10 +33,10 @@ namespace dashboardUtilities
{
var response = client.DownloadString(requestUri);
if (!string.IsNullOrEmpty(response))
if (string.IsNullOrEmpty(response) == false)
{
Response.Clear();
Response.ContentType = Request.QueryString["type"] ?? MediaTypeNames.Text.Xml;
Response.ContentType = Request.CleanForXss("type") ?? MediaTypeNames.Text.Xml;
Response.Write(response);
}
}

3
src/Umbraco.Web/umbraco.presentation/umbraco/developer/Macros/assemblyBrowser.aspx.cs
View File

@@ -14,6 +14,7 @@ using System.Collections.Specialized;
using Umbraco.Core;
using Umbraco.Core.IO;
using Umbraco.Core.Models;
using Umbraco.Web;
using Umbraco.Core.PropertyEditors;
using umbraco.BusinessLogic;
using System.Collections.Generic;
@@ -43,7 +44,7 @@ namespace umbraco.developer
if (Request.QueryString["type"] == null)
{
isUserControl = true;
var fileName = Request.QueryString["fileName"];
var fileName = Request.CleanForXss("fileName");
if (!fileName.StartsWith("~"))
{
if (fileName.StartsWith("/"))

2
src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/create.aspx.cs
View File

@@ -38,7 +38,7 @@ namespace umbraco.dialogs
{
if (_app == null)
{
_app = Request.GetCleanedItem("app");
_app = Request.CleanForXss("app");
//validate the app
if (BusinessLogic.Application.getAll().Any(x => x.alias.InvariantEquals(_app)) == false)
{