Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correctly Encode Text Fields #5106

Merged
merged 2 commits into from
May 9, 2022
Merged

Correctly Encode Text Fields #5106

merged 2 commits into from
May 9, 2022

Conversation

armaganpekatik
Copy link
Contributor

@armaganpekatik armaganpekatik commented Apr 29, 2022
edited by bdukes
Loading

Summary

Encoded content is not always correctly decoded, this addition resolves the issue.

@dnfadmin
Copy link

dnfadmin commented Apr 29, 2022
edited
Loading

CLA assistant check
All CLA requirements met.

@bdukes bdukes changed the title Security: Cross Site Scripting in Text Fields Correctly Encode Text Fields Apr 29, 2022
@bdukes bdukes added this to the 9.10.3 milestone Apr 29, 2022
valadas
valadas approved these changes Apr 29, 2022
View reviewed changes
Copy link
Contributor

@valadas valadas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great improvement, should we catch also decimals by using "&#" instead of "&#x" only (for hex) ?

@armaganpekatik
Copy link
Contributor Author

Great improvement, should we catch also decimals by using "&#" instead of "&#x" only (for hex) ?

Why do we need to catch decimals as per text may create an issue? Decimals without texts should be out of scope.

@valadas
Copy link
Contributor

valadas commented Apr 30, 2022

If I understand correctly this is to also encode entities such as <

An entity can be named or defined as an hexadecimal or a decimal as such:
image

So &# instead of &#x would cover both the hex or decimal entities right?

@armaganpekatik
Copy link
Contributor Author

If I understand correctly this is to also encode entities such as <

An entity can be named or defined as an hexadecimal or a decimal as such: image

So &# instead of &#x would cover both the hex or decimal entities right?

Do you think if this is better

if (tempInput.Contains("&gt;") || tempInput.Contains("&lt;") || tempInput.Contains("&#60") || tempInput.Contains("&#x3C;") || tempInput.Contains("<") || tempInput.Contains("&#62;") || tempInput.Contains("&#x3E;") || tempInput.Contains(">"))
And surely we may put them to a dictionary and compare. May be checking all is not necessary without these symbols?

@valadas
Copy link
Contributor

valadas commented May 2, 2022

Works for me, the only public code path to this is deprecated anyway so this will eventually be removed and consumers are advised to use HtmlEncode instead. So, for now, that works for me.

@valadas
Copy link
Contributor

valadas commented May 3, 2022

Love it, thanks!

@valadas
Copy link
Contributor

valadas commented May 3, 2022

There is a totally unrelated test failing though, I'll re-run the build to see if it's a fluke...

@valadas
Copy link
Contributor

valadas commented May 3, 2022

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@armaganpekatik
Copy link
Contributor Author

armaganpekatik commented May 4, 2022
edited
Loading

There is a totally unrelated test failing though, I'll re-run the build to see if it's a fluke...

I did a clean push
May be it is because of first line change was there starting with License text

EDIT: Failing test : https://github.com/armaganpekatik/Dnn.Platform/blob/bugfix/Issue-5105/DNN%20Platform/Tests/DotNetNuke.Tests.Core/Providers/Folder/FileManagerTests.cs#L257
It has PORTAL_ID : 20 but fileContent.Length returns 305

EDIT 2: The AddFile_No_Error_When_File_Content_Is_Valid test is failing when we replace the "<", ">" strings. I may break any functionality with doing this. So reverting

@armaganpekatik
Copy link
Contributor Author

I had to revert it to beginning and applying the advise that you gave @valadas

donker
donker approved these changes May 9, 2022
View reviewed changes
Copy link
Contributor

@donker donker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@donker donker merged commit 14e39b9 into dnnsoftware:develop May 9, 2022
@valadas valadas modified the milestones: 9.10.3, 9.11.0 Sep 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@donker donker donker approved these changes

@valadas valadas valadas approved these changes

Assignees
No one assigned
Labels
Type: Bug
Projects
None yet
Milestone
9.11.0
Development

Successfully merging this pull request may close these issues.
5 participants
@armaganpekatik @dnfadmin @valadas @donker @bdukes