From 05f5e80c9e6f7291abe97d66f2c2f37e5a88ff58 Mon Sep 17 00:00:00 2001 From: Armagan Pekatik <42939859+armaganpekatik@users.noreply.github.com> Date: Tue, 3 May 2022 15:46:38 +0300 Subject: [PATCH] String comparation is moved to array --- DNN Platform/Library/Security/PortalSecurity.cs | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/DNN Platform/Library/Security/PortalSecurity.cs b/DNN Platform/Library/Security/PortalSecurity.cs index e7c7cc2ad74..10d179fec10 100644 --- a/DNN Platform/Library/Security/PortalSecurity.cs +++ b/DNN Platform/Library/Security/PortalSecurity.cs @@ -1,4 +1,4 @@ -// Licensed to the .NET Foundation under one or more agreements. +// Licensed to the .NET Foundation under one or more agreements. // The .NET Foundation licenses this file to you under the MIT license. // See the LICENSE file in the project root for more information @@ -35,6 +35,8 @@ public class PortalSecurity private static readonly DateTime OldExpiryTime = new DateTime(1999, 1, 1); + private static readonly string[] HtmlTagStrings = new[] { ">", "<", "<", "<", "<", ">", ">", ">" }; + private static readonly Regex StripTagsRegex = new Regex("<[^<>]*>", RegexOptions.IgnoreCase | RegexOptions.Singleline | RegexOptions.Compiled); private static readonly Regex BadStatementRegex = new Regex(BadStatementExpression, RegexOptions.IgnoreCase | RegexOptions.Compiled); @@ -893,7 +895,18 @@ private static string FilterStrings(string strInput) } // check if text contains encoded angle brackets, if it does it we decode it to check the plain text - if (tempInput.Contains(">") || tempInput.Contains("<") || tempInput.Contains("&#x")) + var isTagInput = false; + + foreach (var tagItem in HtmlTagStrings) + { + if (tempInput.Contains(tagItem)) + { + isTagInput = true; + break; + } + } + + if (isTagInput) { // text is encoded, so decode and try again tempInput = HttpUtility.HtmlDecode(tempInput);