String comparation is moved to array

dnnsoftware · May 3, 2022 · 05f5e80 · 05f5e80
1 parent 34b425d
commit 05f5e80
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/DNN Platform/Library/Security/PortalSecurity.cs b/DNN Platform/Library/Security/PortalSecurity.cs
@@ -1,4 +1,4 @@
-// Licensed to the .NET Foundation under one or more agreements.
+// Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information
 
@@ -35,6 +35,8 @@ public class PortalSecurity
 
         private static readonly DateTime OldExpiryTime = new DateTime(1999, 1, 1);
 
+        private static readonly string[] HtmlTagStrings = new[] { "&gt;", "&lt;", "&#60", "&#x3C;", "<", "&#62;", "&#x3E;", ">" };
+
         private static readonly Regex StripTagsRegex = new Regex("<[^<>]*>", RegexOptions.IgnoreCase | RegexOptions.Singleline | RegexOptions.Compiled);
         private static readonly Regex BadStatementRegex = new Regex(BadStatementExpression, RegexOptions.IgnoreCase | RegexOptions.Compiled);
 
@@ -893,7 +895,18 @@ private static string FilterStrings(string strInput)
             }
 
             // check if text contains encoded angle brackets, if it does it we decode it to check the plain text
-            if (tempInput.Contains("&gt;") || tempInput.Contains("&lt;") || tempInput.Contains("&#x"))
+            var isTagInput = false;
+
+            foreach (var tagItem in HtmlTagStrings)
+            {
+                if (tempInput.Contains(tagItem))
+                {
+                    isTagInput = true;
+                    break;
+                }
+            }
+
+            if (isTagInput)
             {
                 // text is encoded, so decode and try again
                 tempInput = HttpUtility.HtmlDecode(tempInput);