From 8b773c90c20045bc2a336f482c1c1a70e6030b0f Mon Sep 17 00:00:00 2001
From: Mole <nikolajlauridsen@protonmail.ch>
Date: Wed, 19 Jan 2022 15:43:14 +0100
Subject: [PATCH 1/5] Add IHtmlSanitizer

---
 src/Umbraco.Core/Security/IHtmlSanitizer.cs    |  7 +++++++
 src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs | 10 ++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 src/Umbraco.Core/Security/IHtmlSanitizer.cs
 create mode 100644 src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs

diff --git a/src/Umbraco.Core/Security/IHtmlSanitizer.cs b/src/Umbraco.Core/Security/IHtmlSanitizer.cs
new file mode 100644
index 0000000000..7f3f033ba7
--- /dev/null
+++ b/src/Umbraco.Core/Security/IHtmlSanitizer.cs
@@ -0,0 +1,7 @@
+namespace Umbraco.Core.Security
+{
+    public interface IHtmlSanitizer
+    {
+        string Sanitize(string html);
+    }
+}
diff --git a/src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs b/src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs
new file mode 100644
index 0000000000..f16ce81ce1
--- /dev/null
+++ b/src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs
@@ -0,0 +1,10 @@
+namespace Umbraco.Core.Security
+{
+    public class NoOpHtmlSanitizer : IHtmlSanitizer
+    {
+        public string Sanitize(string html)
+        {
+            return html;
+        }
+    }
+}

From e2d0a0f699c755821df3a847aed5f0e1b170d64f Mon Sep 17 00:00:00 2001
From: Mole <nikolajlauridsen@protonmail.ch>
Date: Mon, 24 Jan 2022 08:38:31 +0100
Subject: [PATCH 2/5] Add docstrings to IHtmlSanitizer

---
 src/Umbraco.Core/Security/IHtmlSanitizer.cs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Umbraco.Core/Security/IHtmlSanitizer.cs b/src/Umbraco.Core/Security/IHtmlSanitizer.cs
index 7f3f033ba7..fa1e0b3ee5 100644
--- a/src/Umbraco.Core/Security/IHtmlSanitizer.cs
+++ b/src/Umbraco.Core/Security/IHtmlSanitizer.cs
@@ -2,6 +2,11 @@ namespace Umbraco.Core.Security
 {
     public interface IHtmlSanitizer
     {
+        /// <summary>
+        /// Sanitizes HTML
+        /// </summary>
+        /// <param name="html">HTML to be sanitized</param>
+        /// <returns>Sanitized HTML</returns>
         string Sanitize(string html);
     }
 }

From 01c1e68cf023887ef25af6bda2c7b11efb816ad3 Mon Sep 17 00:00:00 2001
From: Mole <nikolajlauridsen@protonmail.ch>
Date: Mon, 24 Jan 2022 09:19:06 +0100
Subject: [PATCH 3/5] Fix up namespaces

---
 src/Umbraco.Core/Security/IHtmlSanitizer.cs    | 2 +-
 src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Umbraco.Core/Security/IHtmlSanitizer.cs b/src/Umbraco.Core/Security/IHtmlSanitizer.cs
index fa1e0b3ee5..9bcfe405dd 100644
--- a/src/Umbraco.Core/Security/IHtmlSanitizer.cs
+++ b/src/Umbraco.Core/Security/IHtmlSanitizer.cs
@@ -1,4 +1,4 @@
-namespace Umbraco.Core.Security
+namespace Umbraco.Cms.Core.Security
 {
     public interface IHtmlSanitizer
     {
diff --git a/src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs b/src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs
index f16ce81ce1..f2e8a48ad0 100644
--- a/src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs
+++ b/src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs
@@ -1,4 +1,4 @@
-namespace Umbraco.Core.Security
+namespace Umbraco.Cms.Core.Security
 {
     public class NoOpHtmlSanitizer : IHtmlSanitizer
     {

From 249774c815345293ea98c56addb1dd6604ee51f8 Mon Sep 17 00:00:00 2001
From: Mole <nikolajlauridsen@protonmail.ch>
Date: Mon, 24 Jan 2022 09:23:07 +0100
Subject: [PATCH 4/5] Rename NoOp to Noop

To match the rest of the classes
---
 src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs         | 3 +++
 .../Security/{NoOpHtmlSanitizer.cs => NoopHtmlSanitizer.cs}    | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)
 rename src/Umbraco.Core/Security/{NoOpHtmlSanitizer.cs => NoopHtmlSanitizer.cs} (73%)

diff --git a/src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs b/src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs
index eacd615830..c4a95d45e5 100644
--- a/src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs
+++ b/src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs
@@ -263,6 +263,9 @@ namespace Umbraco.Cms.Core.DependencyInjection
 
             // Register telemetry service used to gather data about installed packages
             Services.AddUnique<ITelemetryService, TelemetryService>();
+
+            // Register a noop IHtmlSanitizer to be replaced
+            Services.AddUnique<IHtmlSanitizer, NoopHtmlSanitizer>();
         }
     }
 }
diff --git a/src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs b/src/Umbraco.Core/Security/NoopHtmlSanitizer.cs
similarity index 73%
rename from src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs
rename to src/Umbraco.Core/Security/NoopHtmlSanitizer.cs
index f2e8a48ad0..2ada23631a 100644
--- a/src/Umbraco.Core/Security/NoOpHtmlSanitizer.cs
+++ b/src/Umbraco.Core/Security/NoopHtmlSanitizer.cs
@@ -1,6 +1,6 @@
 namespace Umbraco.Cms.Core.Security
 {
-    public class NoOpHtmlSanitizer : IHtmlSanitizer
+    public class NoopHtmlSanitizer : IHtmlSanitizer
     {
         public string Sanitize(string html)
         {

From 39f7102312f55d08a18c86132a65479250966653 Mon Sep 17 00:00:00 2001
From: Mole <nikolajlauridsen@protonmail.ch>
Date: Mon, 24 Jan 2022 09:30:23 +0100
Subject: [PATCH 5/5] Use IHtmlSanitizer in RichTextValueEditor

---
 .../PropertyEditors/RichTextPropertyEditor.cs             | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/Umbraco.Infrastructure/PropertyEditors/RichTextPropertyEditor.cs b/src/Umbraco.Infrastructure/PropertyEditors/RichTextPropertyEditor.cs
index 1f05da3bde..8eeb935c12 100644
--- a/src/Umbraco.Infrastructure/PropertyEditors/RichTextPropertyEditor.cs
+++ b/src/Umbraco.Infrastructure/PropertyEditors/RichTextPropertyEditor.cs
@@ -81,6 +81,7 @@ namespace Umbraco.Cms.Core.PropertyEditors
             private readonly HtmlLocalLinkParser _localLinkParser;
             private readonly RichTextEditorPastedImages _pastedImages;
             private readonly IImageUrlGenerator _imageUrlGenerator;
+            private readonly IHtmlSanitizer _htmlSanitizer;
 
             public RichTextPropertyValueEditor(
                 DataEditorAttribute attribute,
@@ -92,7 +93,8 @@ namespace Umbraco.Cms.Core.PropertyEditors
                 RichTextEditorPastedImages pastedImages,
                 IImageUrlGenerator imageUrlGenerator,
                 IJsonSerializer jsonSerializer,
-                IIOHelper ioHelper)
+                IIOHelper ioHelper,
+                IHtmlSanitizer htmlSanitizer)
                 : base(localizedTextService, shortStringHelper, jsonSerializer, ioHelper, attribute)
             {
                 _backOfficeSecurityAccessor = backOfficeSecurityAccessor;
@@ -100,6 +102,7 @@ namespace Umbraco.Cms.Core.PropertyEditors
                 _localLinkParser = localLinkParser;
                 _pastedImages = pastedImages;
                 _imageUrlGenerator = imageUrlGenerator;
+                _htmlSanitizer = htmlSanitizer;
             }
 
             /// <inheritdoc />
@@ -156,8 +159,9 @@ namespace Umbraco.Cms.Core.PropertyEditors
                 var parseAndSavedTempImages = _pastedImages.FindAndPersistPastedTempImages(editorValue.Value.ToString(), mediaParentId, userId, _imageUrlGenerator);
                 var editorValueWithMediaUrlsRemoved = _imageSourceParser.RemoveImageSources(parseAndSavedTempImages);
                 var parsed = MacroTagParser.FormatRichTextContentForPersistence(editorValueWithMediaUrlsRemoved);
+                var sanitized = _htmlSanitizer.Sanitize(parsed);
 
-                return parsed.NullOrWhiteSpaceAsNull();
+                return sanitized.NullOrWhiteSpaceAsNull();
             }
 
             /// <summary>