From d7696e8d91761b586d915b440d0baf00bcbc2377 Mon Sep 17 00:00:00 2001 From: elitsa Date: Tue, 18 Dec 2018 11:34:50 +0100 Subject: [PATCH 1/5] Making a variable const --- src/Umbraco.Core/StringExtensions.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Umbraco.Core/StringExtensions.cs b/src/Umbraco.Core/StringExtensions.cs index d4ad152feb..abe5ae7188 100644 --- a/src/Umbraco.Core/StringExtensions.cs +++ b/src/Umbraco.Core/StringExtensions.cs @@ -540,7 +540,7 @@ namespace Umbraco.Core /// Returns the string without any html tags. public static string StripHtml(this string text) { - string pattern = "[*{}\\/:<>?|\"-+()\\n]"; + const string pattern = "[*{}\\/:<>?|\"-+()\\n]"; return Regex.Replace(text, pattern, String.Empty); } From bb60d5e03508d2cd40491178bd5dc013a81a3173 Mon Sep 17 00:00:00 2001 From: elitsa Date: Thu, 27 Dec 2018 09:57:31 +0100 Subject: [PATCH 2/5] Reverting changes made from merge. --- src/Umbraco.Web/UI/LegacyDialogHandler.cs | 2 +- src/Umbraco.Web/WebServices/SaveFileController.cs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Umbraco.Web/UI/LegacyDialogHandler.cs b/src/Umbraco.Web/UI/LegacyDialogHandler.cs index efcea4bbd5..a3dc6750e9 100644 --- a/src/Umbraco.Web/UI/LegacyDialogHandler.cs +++ b/src/Umbraco.Web/UI/LegacyDialogHandler.cs @@ -207,7 +207,7 @@ namespace Umbraco.Web.UI typeInstance.TypeID = typeId; typeInstance.ParentID = nodeId; - typeInstance.Alias = text; + typeInstance.Alias = text.CleanForXss(); // check for returning url ITaskReturnUrl returnUrlTask = typeInstance as LegacyDialogTask; diff --git a/src/Umbraco.Web/WebServices/SaveFileController.cs b/src/Umbraco.Web/WebServices/SaveFileController.cs index 5f2fcaeb34..359ee6fc31 100644 --- a/src/Umbraco.Web/WebServices/SaveFileController.cs +++ b/src/Umbraco.Web/WebServices/SaveFileController.cs @@ -243,7 +243,7 @@ namespace Umbraco.Web.WebServices // sanitize input - stylesheet names have no extension var svce = (FileService)Services.FileService; - filename = CleanFilename(filename); + filename = CleanFilename(filename.CleanForXss()); oldName = CleanFilename(oldName); if (filename != oldName) From 0aa1dc1dc710f06a0cccb7aa5a0724af8e0f563e Mon Sep 17 00:00:00 2001 From: elitsa Date: Thu, 27 Dec 2018 10:02:49 +0100 Subject: [PATCH 3/5] Adding tests for verifying that malicious code input will be cleaned for XSS. --- src/Umbraco.Tests/Strings/StringExtensionsTests.cs | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/Umbraco.Tests/Strings/StringExtensionsTests.cs b/src/Umbraco.Tests/Strings/StringExtensionsTests.cs index 836930c48a..bbf78f09fc 100644 --- a/src/Umbraco.Tests/Strings/StringExtensionsTests.cs +++ b/src/Umbraco.Tests/Strings/StringExtensionsTests.cs @@ -61,6 +61,17 @@ namespace Umbraco.Tests.Strings Assert.AreEqual(stripped, result); } + [TestCase("'+alert(1234)+'", "alert1234")] + [TestCase("'+alert(56+78)+'", "alert5678")] + [TestCase("{{file}}", "file")] + [TestCase("'+alert('hello')+'", "alerthello")] + [TestCase("Test", "Test")] + public void Clean_From_XSS(string input, string result) + { + var cleaned = input.CleanForXss(); + Assert.AreEqual(cleaned, result); + } + [TestCase("This is a string to encrypt")] [TestCase("This is a string to encrypt\nThis is a second line")] [TestCase(" White space is preserved ")] From 7ead62730b9c254048af3e521c2d0908f0548fed Mon Sep 17 00:00:00 2001 From: Claus Date: Fri, 4 Jan 2019 09:34:24 +0100 Subject: [PATCH 4/5] reverting changes to StripHtml method. --- src/Umbraco.Core/StringExtensions.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Umbraco.Core/StringExtensions.cs b/src/Umbraco.Core/StringExtensions.cs index abe5ae7188..93ff2aac50 100644 --- a/src/Umbraco.Core/StringExtensions.cs +++ b/src/Umbraco.Core/StringExtensions.cs @@ -540,8 +540,8 @@ namespace Umbraco.Core /// Returns the string without any html tags. public static string StripHtml(this string text) { - const string pattern = "[*{}\\/:<>?|\"-+()\\n]"; - return Regex.Replace(text, pattern, String.Empty); + const string pattern = @"<(.|\n)*?>"; + return Regex.Replace(text, pattern, string.Empty); } /// From 71f2b7ee068f741a649da3d0445ba89eaf515ef0 Mon Sep 17 00:00:00 2001 From: Claus Date: Fri, 4 Jan 2019 09:40:55 +0100 Subject: [PATCH 5/5] updating unit tests. --- src/Umbraco.Tests/Strings/StringExtensionsTests.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Umbraco.Tests/Strings/StringExtensionsTests.cs b/src/Umbraco.Tests/Strings/StringExtensionsTests.cs index bbf78f09fc..53f21b320b 100644 --- a/src/Umbraco.Tests/Strings/StringExtensionsTests.cs +++ b/src/Umbraco.Tests/Strings/StringExtensionsTests.cs @@ -61,10 +61,10 @@ namespace Umbraco.Tests.Strings Assert.AreEqual(stripped, result); } - [TestCase("'+alert(1234)+'", "alert1234")] - [TestCase("'+alert(56+78)+'", "alert5678")] + [TestCase("'+alert(1234)+'", "+alert1234+")] + [TestCase("'+alert(56+78)+'", "+alert56+78+")] [TestCase("{{file}}", "file")] - [TestCase("'+alert('hello')+'", "alerthello")] + [TestCase("'+alert('hello')+'", "+alerthello+")] [TestCase("Test", "Test")] public void Clean_From_XSS(string input, string result) {