From 3de88de07332cb98ee83d9d320697e9d5f0bd72b Mon Sep 17 00:00:00 2001 From: sergeydryomin Date: Tue, 7 Apr 2020 16:23:56 +0300 Subject: [PATCH 1/2] https://jira.devfactory.com/browse/DNN-33796 Invalid Username/Email Address When Containing "onfocus" --- DNN Platform/Library/Security/PortalSecurity.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DNN Platform/Library/Security/PortalSecurity.cs b/DNN Platform/Library/Security/PortalSecurity.cs index 458b7aea50d..a024a004fa9 100644 --- a/DNN Platform/Library/Security/PortalSecurity.cs +++ b/DNN Platform/Library/Security/PortalSecurity.cs @@ -64,7 +64,7 @@ public class PortalSecurity new Regex("<]*>", RxOptions), new Regex("onerror", RxOptions), new Regex("onload", RxOptions), - new Regex("onfocus", RxOptions), + new Regex("\bonfocus\b", RxOptions), new Regex("onblur", RxOptions), new Regex("onclick", RxOptions), new Regex("ondblclick", RxOptions), From 908368e015afcd5372f6e46e2ffc5cff74a4e51f Mon Sep 17 00:00:00 2001 From: sergeydryomin Date: Mon, 13 Apr 2020 13:29:25 +0300 Subject: [PATCH 2/2] should be applied to all other similar "js event" words --- .../Library/Security/PortalSecurity.cs | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/DNN Platform/Library/Security/PortalSecurity.cs b/DNN Platform/Library/Security/PortalSecurity.cs index a024a004fa9..70275fcff62 100644 --- a/DNN Platform/Library/Security/PortalSecurity.cs +++ b/DNN Platform/Library/Security/PortalSecurity.cs @@ -62,26 +62,26 @@ public class PortalSecurity new Regex("]*>.*?<]*>", RxOptions), new Regex("]*>", RxOptions), new Regex("<]*>", RxOptions), - new Regex("onerror", RxOptions), - new Regex("onload", RxOptions), + new Regex("\bonerror\b", RxOptions), + new Regex("\bonload\b", RxOptions), new Regex("\bonfocus\b", RxOptions), - new Regex("onblur", RxOptions), - new Regex("onclick", RxOptions), - new Regex("ondblclick", RxOptions), - new Regex("onchange", RxOptions), - new Regex("onselect", RxOptions), - new Regex("onsubmit", RxOptions), - new Regex("onreset", RxOptions), - new Regex("onkeydown", RxOptions), - new Regex("onkeyup", RxOptions), - new Regex("onkeypress", RxOptions), - new Regex("onmousedown", RxOptions), - new Regex("onmousemove", RxOptions), - new Regex("onmouseout", RxOptions), - new Regex("onmouseover", RxOptions), - new Regex("onmouseup", RxOptions), - new Regex("onreadystatechange", RxOptions), - new Regex("onfinish", RxOptions), + new Regex("\bonblur\b", RxOptions), + new Regex("\bonclick\b", RxOptions), + new Regex("\bondblclick\b", RxOptions), + new Regex("\bonchange\b", RxOptions), + new Regex("\bonselect\b", RxOptions), + new Regex("\bonsubmit\b", RxOptions), + new Regex("\bonreset\b", RxOptions), + new Regex("\bonkeydown\b", RxOptions), + new Regex("\bonkeyup\b", RxOptions), + new Regex("\bonkeypress\b", RxOptions), + new Regex("\bonmousedown\b", RxOptions), + new Regex("\bonmousemove\b", RxOptions), + new Regex("\bonmouseout\b", RxOptions), + new Regex("\bonmouseover\b", RxOptions), + new Regex("\bonmouseup\b", RxOptions), + new Regex("\bonreadystatechange\b", RxOptions), + new Regex("\bonfinish\b", RxOptions), new Regex("javascript:", RxOptions), new Regex("vbscript:", RxOptions), new Regex("unescape", RxOptions), @@ -874,7 +874,7 @@ public static bool IsDenied(string roles) PortalSettings settings = PortalController.Instance.GetCurrentPortalSettings(); return IsDenied(objUserInfo, settings, roles); } - + public static bool IsDenied(UserInfo objUserInfo, PortalSettings settings, string roles) { //super user always has full access