Skip to content

Commit

Permalink
Merge pull request #149 from maakinoh/knowledgebase-xss-fix
Browse files Browse the repository at this point in the history
Fixed a XXS vulnerability on the knowledgebase page:
  • Loading branch information
Fenrikur authored Aug 13, 2024
2 parents ec85fd8 + d2dafc8 commit 22fa9f0
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
@using Eurofurence.App.Backoffice.Services
@using Eurofurence.App.Domain.Model.Fragments
@using Eurofurence.App.Domain.Model.Images
@using Ganss.Xss
@inject ISnackbar Snackbar
@inject IKnowledgeService KnowledgeService
@inject IImageService ImageService
Expand Down Expand Up @@ -37,7 +38,7 @@
</CardHeaderContent>
</MudCardHeader>
<MudCardContent>
<MudText>@((MarkupString)_markdownHtml)</MudText>
<MudText>@((MarkupString) _htmlSanitizer.Sanitize(_markdownHtml)))</MudText>
</MudCardContent>
</MudCard>
</MudItem>
Expand Down Expand Up @@ -124,6 +125,8 @@

private bool _formIsValid;
private MudForm? _form;

private HtmlSanitizer _htmlSanitizer = new HtmlSanitizer();

string _markdownHtml = string.Empty;

Expand All @@ -144,7 +147,7 @@
SelectedGroupRecord = _knowledgeGroups.FirstOrDefault(knowledgeGroup => knowledgeGroup.Id == Record?.KnowledgeGroupId);
}
}

private async Task UploadImage(IBrowserFile? file)
{
if (file == null)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
</PropertyGroup>

<ItemGroup>
<PackageReference Include="HtmlSanitizer" Version="8.1.870" />
<PackageReference Include="Markdig" Version="0.37.0" />
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.7" />
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.7" />
Expand Down
5 changes: 4 additions & 1 deletion src/Eurofurence.App.Backoffice/Pages/KnowledgeBase.razor
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
@using Microsoft.AspNetCore.Authorization
@using Eurofurence.App.Backoffice.Components
@using Eurofurence.App.Domain.Model.Images
@using Ganss.Xss
@using Markdig
@attribute [Authorize]
@inject ISnackbar Snackbar
Expand Down Expand Up @@ -99,7 +100,7 @@
</CardHeaderActions>
</MudCardHeader>
<MudCardContent>
<MudText Class="mb-4">@((MarkupString)Markdown.ToHtml(knowledgeEntry.Text))</MudText>
<MudText Class="mb-4">@((MarkupString)_htmlSanitizer.Sanitize(Markdown.ToHtml(knowledgeEntry.Text)))</MudText>

@foreach (var image in knowledgeEntry.Images)
{
Expand All @@ -125,6 +126,8 @@
private List<KnowledgeGroupRecord> _knowledgeGroups = new List<KnowledgeGroupRecord>();
private List<KnowledgeEntryRecord> _knowledgeEntries = new List<KnowledgeEntryRecord>();

private HtmlSanitizer _htmlSanitizer = new HtmlSanitizer();

protected override async Task OnInitializedAsync()
{
await LoadKnowledgeEntries();
Expand Down

0 comments on commit 22fa9f0

Please sign in to comment.