From 90f30c3f3c1194a2efdd7f5e4e5ea688c67d5e81 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Mon, 5 Dec 2016 17:13:07 +1100
Subject: [PATCH] Ensures tag values are Html encoded both on the client side
 and on the server side to prevent any xss

---
 .../lib/umbraco/Extensions.js                    | 16 ++++++++++++++++
 .../propertyeditors/tags/tags.controller.js      |  2 +-
 .../PropertyEditors/TagsPropertyEditor.cs        |  5 ++++-
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/Umbraco.Web.UI.Client/lib/umbraco/Extensions.js b/src/Umbraco.Web.UI.Client/lib/umbraco/Extensions.js
index b70a6b12bc..3c148f0535 100644
--- a/src/Umbraco.Web.UI.Client/lib/umbraco/Extensions.js
+++ b/src/Umbraco.Web.UI.Client/lib/umbraco/Extensions.js
@@ -69,6 +69,22 @@
         };
     }
 
+    if (!String.prototype.htmlEncode) {
+        /** htmlEncode extension method for string */
+        String.prototype.htmlEncode = function () {
+            //create a in-memory div, set it's inner text(which jQuery automatically encodes)
+            //then grab the encoded contents back out.  The div never exists on the page.
+            return $('<div/>').text(this).html();
+        };
+    }
+
+    if (!String.prototype.htmlDecode) {
+        /** htmlDecode extension method for string */
+        String.prototype.htmlDecode = function () {
+            return $('<div/>').html(this).text();
+        };
+    }
+
     if (!String.prototype.startsWith) {
         /** startsWith extension method for string */
         String.prototype.startsWith = function (str) {            
diff --git a/src/Umbraco.Web.UI.Client/src/views/propertyeditors/tags/tags.controller.js b/src/Umbraco.Web.UI.Client/src/views/propertyeditors/tags/tags.controller.js
index d18ff73bd5..f965b812d8 100644
--- a/src/Umbraco.Web.UI.Client/src/views/propertyeditors/tags/tags.controller.js
+++ b/src/Umbraco.Web.UI.Client/src/views/propertyeditors/tags/tags.controller.js
@@ -41,7 +41,7 @@ angular.module("umbraco")
 
             //Helper method to add a tag on enter or on typeahead select
             function addTag(tagToAdd) {
-                tagToAdd = $sanitize(tagToAdd);
+                tagToAdd = String(tagToAdd).htmlEncode();
                 if (tagToAdd != null && tagToAdd.length > 0) {
                     if ($scope.model.value.indexOf(tagToAdd) < 0) {
                         $scope.model.value.push(tagToAdd);
diff --git a/src/Umbraco.Web/PropertyEditors/TagsPropertyEditor.cs b/src/Umbraco.Web/PropertyEditors/TagsPropertyEditor.cs
index b44c65b157..120b2d678d 100644
--- a/src/Umbraco.Web/PropertyEditors/TagsPropertyEditor.cs
+++ b/src/Umbraco.Web/PropertyEditors/TagsPropertyEditor.cs
@@ -1,6 +1,7 @@
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.Linq;
+using System.Net;
 using System.Runtime.InteropServices;
 using Newtonsoft.Json.Linq;
 using Umbraco.Core;
@@ -60,7 +61,9 @@ namespace Umbraco.Web.PropertyEditors
             public override object ConvertEditorToDb(ContentPropertyData editorValue, object currentValue)
             {
                 var json = editorValue.Value as JArray;
-                return json == null ? null : json.Select(x => x.Value<string>());
+                return json == null 
+                    ? null 
+                    : json.Select(x => x.Value<string>()).Where(x => x.IsNullOrWhiteSpace() == false).Select(WebUtility.HtmlEncode);
             }
 
             /// <summary>