From 833c5460dc5c6152092f6ad54b8b832870a59903 Mon Sep 17 00:00:00 2001
From: wayne <seriawei@outlook.com>
Date: Thu, 14 Apr 2022 22:55:34 +0800
Subject: [PATCH] Sanitize Html

#457
---
 .../Common/Service/NavigationService.cs       | 37 ++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/ZKEACMS/Common/Service/NavigationService.cs b/src/ZKEACMS/Common/Service/NavigationService.cs
index c6fafc72..66ed8921 100644
--- a/src/ZKEACMS/Common/Service/NavigationService.cs
+++ b/src/ZKEACMS/Common/Service/NavigationService.cs
@@ -11,13 +11,16 @@
 using ZKEACMS.Common.Models;
 using Easy;
 using Microsoft.EntityFrameworkCore;
+using ZKEACMS.Safety;
 
 namespace ZKEACMS.Common.Service
 {
     public class NavigationService : ServiceBase<NavigationEntity, CMSDbContext>, INavigationService
     {
-        public NavigationService(IApplicationContext applicationContext, CMSDbContext dbContext) : base(applicationContext, dbContext)
+        private readonly IHtmlSanitizer _htmlSanitizer;
+        public NavigationService(IApplicationContext applicationContext, CMSDbContext dbContext, IHtmlSanitizer htmlSanitizer) : base(applicationContext, dbContext)
         {
+            _htmlSanitizer = htmlSanitizer;
         }
         public override DbSet<NavigationEntity> CurrentDbSet => DbContext.Navigation;
         public override ServiceResult<NavigationEntity> Add(NavigationEntity item)
@@ -27,8 +30,34 @@ public override ServiceResult<NavigationEntity> Add(NavigationEntity item)
                 item.ParentId = "#";
             }
             item.ID = Guid.NewGuid().ToString("N");
+            Santize(item);
             return base.Add(item);
         }
+
+        public override ServiceResult<NavigationEntity> AddRange(params NavigationEntity[] items)
+        {
+            foreach (var item in items)
+            {
+                Santize(item);
+            }
+            return base.AddRange(items);
+        }
+
+        public override ServiceResult<NavigationEntity> Update(NavigationEntity item)
+        {
+            Santize(item);
+            return base.Update(item);
+        }
+
+        public override ServiceResult<NavigationEntity> UpdateRange(params NavigationEntity[] items)
+        {
+            foreach (var item in items)
+            {
+                Santize(item);
+            }
+            return base.UpdateRange(items);
+        }
+
         public override void Remove(NavigationEntity item)
         {
             Remove(m => m.ParentId == item.ID);
@@ -73,5 +102,11 @@ public void Move(string id, string parentId, int position, int oldPosition)
             }
             Update(nav);
         }
+
+        private void Santize(NavigationEntity item)
+        {
+            item.Title = _htmlSanitizer.Sanitize(item.Title);
+            item.Html = _htmlSanitizer.Sanitize(item.Html);
+        }
     }
 }
\ No newline at end of file