From 684011666d5b33f1bd4a89f28ec0a500255d9487 Mon Sep 17 00:00:00 2001 From: armaganpekatik Date: Wed, 4 May 2022 05:59:02 +0000 Subject: [PATCH 1/2] HTML tags are added to array --- DNN Platform/Library/Security/PortalSecurity.cs | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/DNN Platform/Library/Security/PortalSecurity.cs b/DNN Platform/Library/Security/PortalSecurity.cs index 355c1837e13..caa07b8d3aa 100644 --- a/DNN Platform/Library/Security/PortalSecurity.cs +++ b/DNN Platform/Library/Security/PortalSecurity.cs @@ -35,6 +35,8 @@ public class PortalSecurity private static readonly DateTime OldExpiryTime = new DateTime(1999, 1, 1); + private static readonly string[] HtmlTagStrings = new[] { ">", "<", "<", "<", "<", ">", ">", ">" }; + private static readonly Regex StripTagsRegex = new Regex("<[^<>]*>", RegexOptions.IgnoreCase | RegexOptions.Singleline | RegexOptions.Compiled); private static readonly Regex BadStatementRegex = new Regex(BadStatementExpression, RegexOptions.IgnoreCase | RegexOptions.Compiled); @@ -893,7 +895,18 @@ private static string FilterStrings(string strInput) } // check if text contains encoded angle brackets, if it does it we decode it to check the plain text - if (tempInput.Contains(">") || tempInput.Contains("<")) + var isTagInput = false; + + foreach (var tagItem in HtmlTagStrings) + { + if (tempInput.Contains(tagItem)) + { + isTagInput = true; + break; + } + } + + if (isTagInput) { // text is encoded, so decode and try again tempInput = HttpUtility.HtmlDecode(tempInput); From a826b1e174d314d663a7bb459d8832c924f5207b Mon Sep 17 00:00:00 2001 From: Armagan Pekatik <42939859+armaganpekatik@users.noreply.github.com> Date: Wed, 4 May 2022 11:15:49 +0300 Subject: [PATCH 2/2] Reverting back <> replace breaks other features --- DNN Platform/Library/Security/PortalSecurity.cs | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/DNN Platform/Library/Security/PortalSecurity.cs b/DNN Platform/Library/Security/PortalSecurity.cs index caa07b8d3aa..d695f39ca4d 100644 --- a/DNN Platform/Library/Security/PortalSecurity.cs +++ b/DNN Platform/Library/Security/PortalSecurity.cs @@ -35,8 +35,6 @@ public class PortalSecurity private static readonly DateTime OldExpiryTime = new DateTime(1999, 1, 1); - private static readonly string[] HtmlTagStrings = new[] { ">", "<", "<", "<", "<", ">", ">", ">" }; - private static readonly Regex StripTagsRegex = new Regex("<[^<>]*>", RegexOptions.IgnoreCase | RegexOptions.Singleline | RegexOptions.Compiled); private static readonly Regex BadStatementRegex = new Regex(BadStatementExpression, RegexOptions.IgnoreCase | RegexOptions.Compiled); @@ -895,18 +893,7 @@ private static string FilterStrings(string strInput) } // check if text contains encoded angle brackets, if it does it we decode it to check the plain text - var isTagInput = false; - - foreach (var tagItem in HtmlTagStrings) - { - if (tempInput.Contains(tagItem)) - { - isTagInput = true; - break; - } - } - - if (isTagInput) + if (tempInput.Contains(">") || tempInput.Contains("<") || tempInput.Contains("&#")) { // text is encoded, so decode and try again tempInput = HttpUtility.HtmlDecode(tempInput);