Ensures tag values are Html encoded both on the client side and on the server side to prevent any xss

2016-12-05 17:13:07 +11:00
parent 22397ded9b
commit 90f30c3f3c
3 changed files with 21 additions and 2 deletions
--- a/src/Umbraco.Web.UI.Client/lib/umbraco/Extensions.js
+++ b/src/Umbraco.Web.UI.Client/lib/umbraco/Extensions.js
@@ -69,6 +69,22 @@
        };
    }

+    if (!String.prototype.htmlEncode) {
+        /** htmlEncode extension method for string */
+        String.prototype.htmlEncode = function () {
+            //create a in-memory div, set it's inner text(which jQuery automatically encodes)
+            //then grab the encoded contents back out.  The div never exists on the page.
+            return $('<div/>').text(this).html();
+        };
+    }
+
+    if (!String.prototype.htmlDecode) {
+        /** htmlDecode extension method for string */
+        String.prototype.htmlDecode = function () {
+            return $('<div/>').html(this).text();
+        };
+    }
+
    if (!String.prototype.startsWith) {
        /** startsWith extension method for string */
        String.prototype.startsWith = function (str) {            
--- a/src/Umbraco.Web.UI.Client/src/views/propertyeditors/tags/tags.controller.js
+++ b/src/Umbraco.Web.UI.Client/src/views/propertyeditors/tags/tags.controller.js
@@ -41,7 +41,7 @@ angular.module("umbraco")

            //Helper method to add a tag on enter or on typeahead select
            function addTag(tagToAdd) {
-                tagToAdd = $sanitize(tagToAdd);
+                tagToAdd = String(tagToAdd).htmlEncode();
                if (tagToAdd != null && tagToAdd.length > 0) {
                    if ($scope.model.value.indexOf(tagToAdd) < 0) {
                        $scope.model.value.push(tagToAdd);
--- a/src/Umbraco.Web/PropertyEditors/TagsPropertyEditor.cs
+++ b/src/Umbraco.Web/PropertyEditors/TagsPropertyEditor.cs
@@ -1,6 +1,7 @@
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.Linq;
+using System.Net;
 using System.Runtime.InteropServices;
 using Newtonsoft.Json.Linq;
 using Umbraco.Core;
@@ -60,7 +61,9 @@ namespace Umbraco.Web.PropertyEditors
            public override object ConvertEditorToDb(ContentPropertyData editorValue, object currentValue)
            {
                var json = editorValue.Value as JArray;
-                return json == null ? null : json.Select(x => x.Value<string>());
+                return json == null 
+                    ? null 
+                    : json.Select(x => x.Value<string>()).Where(x => x.IsNullOrWhiteSpace() == false).Select(WebUtility.HtmlEncode);
            }

            /// <summary>