Merge pull request #1639 from umbraco/temp-htmlencode-tags

Ensures tag values are Html encoded both on the client side and on th…
umbraco · Dec 5, 2016 · f48ba93 · f48ba93
2 parents 22397de + 4823235
commit f48ba93
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/src/Umbraco.Web.UI.Client/lib/umbraco/Extensions.js b/src/Umbraco.Web.UI.Client/lib/umbraco/Extensions.js
@@ -69,6 +69,22 @@
  };
  }
 
+ if (!String.prototype.htmlEncode) {
+ /** htmlEncode extension method for string */
+ String.prototype.htmlEncode = function () {
+ //create a in-memory div, set it's inner text(which jQuery automatically encodes)
+ //then grab the encoded contents back out. The div never exists on the page.
+ return $('<div/>').text(this).html();
+ };
+ }
+
+ if (!String.prototype.htmlDecode) {
+ /** htmlDecode extension method for string */
+ String.prototype.htmlDecode = function () {
+ return $('<div/>').html(this).text();
+ };
+ }
+
  if (!String.prototype.startsWith) {
  /** startsWith extension method for string */
  String.prototype.startsWith = function (str) { 

diff --git a/src/Umbraco.Web.UI.Client/src/views/propertyeditors/tags/tags.controller.js b/src/Umbraco.Web.UI.Client/src/views/propertyeditors/tags/tags.controller.js
@@ -41,7 +41,7 @@ angular.module("umbraco")
 
  //Helper method to add a tag on enter or on typeahead select
  function addTag(tagToAdd) {
- tagToAdd = $sanitize(tagToAdd);
+ tagToAdd = String(tagToAdd).htmlEncode();
  if (tagToAdd != null && tagToAdd.length > 0) {
  if ($scope.model.value.indexOf(tagToAdd) < 0) {
  $scope.model.value.push(tagToAdd);

diff --git a/src/Umbraco.Web/PropertyEditors/TagsPropertyEditor.cs b/src/Umbraco.Web/PropertyEditors/TagsPropertyEditor.cs
@@ -1,6 +1,7 @@
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.Linq;
+using System.Net;
 using System.Runtime.InteropServices;
 using Newtonsoft.Json.Linq;
 using Umbraco.Core;
@@ -60,7 +61,14 @@ public TagPropertyValueEditor(PropertyValueEditor wrapped)
  public override object ConvertEditorToDb(ContentPropertyData editorValue, object currentValue)
  {
  var json = editorValue.Value as JArray;
- return json == null ? null : json.Select(x => x.Value<string>());
+ return json == null 
+ ? null 
+ : json.Select(x => x.Value<string>()).Where(x => x.IsNullOrWhiteSpace() == false)
+ //First we will decode it as html because we know that if this is not a malicious post that the value is
+ // already Html encoded by the tags JavaScript controller. Then we'll re-Html Encode it to ensure that in case this
+ // is a malicious post (i.e. someone is submitting data manually by modifying the request).
+ .Select(WebUtility.HtmlDecode)
+ .Select(WebUtility.HtmlEncode);
  }
 
  /// <summary>