Merge pull request from GHSA-gvpc-3pj6-4m9w

* Bump version * Add new MarkDownPropertyValueEditor.cs * Pass attribute to property value editor * Only use ToString() once * Implement own markdown sanitizer instead of using IHtmlSanitizer * Fix comment * Dont use file scoped namespaces --------- Co-authored-by: Bjarke Berg <mail@bergmania.dk>
umbraco · Feb 6, 2024 · a268406 · a268406
1 parent 3ce0854
commit a268406
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 2 deletions.
diff --git a/src/Umbraco.Core/Composing/CompositionExtensions/Services.cs b/src/Umbraco.Core/Composing/CompositionExtensions/Services.cs
@@ -83,6 +83,7 @@ public static Composition ComposeServices(this Composition composition)
 
             composition.RegisterUnique<ITelemetryService, TelemetryService>();
             composition.RegisterUnique<IHtmlSanitizer, NoopHtmlSanitizer>();
+            composition.RegisterUnique<IMarkdownSanitizer, NoopMarkdownSanitizer>();
             composition.RegisterUnique<IFileStreamSecurityValidator, FileStreamSecurityValidator>();
 
             return composition;

diff --git a/src/Umbraco.Core/Security/IMarkdownSanitizer.cs b/src/Umbraco.Core/Security/IMarkdownSanitizer.cs
@@ -0,0 +1,14 @@
+namespace Umbraco.Core.Security
+{
+   public interface IMarkdownSanitizer
+   {
+       /// <summary>
+       /// Sanitizes Markdown
+       /// </summary>
+       /// <param name="markdown">Markdown to be sanitized</param>
+       /// <returns>Sanitized Markdown</returns>
+       string Sanitize(string markdown);
+   }
+}
+
+
diff --git a/src/Umbraco.Core/Security/NoopMarkdownSanitizer.cs b/src/Umbraco.Core/Security/NoopMarkdownSanitizer.cs
@@ -0,0 +1,10 @@
+namespace Umbraco.Core.Security
+{
+    public class NoopMarkdownSanitizer : IMarkdownSanitizer
+    {
+        public string Sanitize(string markdown)
+        {
+            return markdown;
+        }
+    }
+}
diff --git a/src/Umbraco.Core/Umbraco.Core.csproj b/src/Umbraco.Core/Umbraco.Core.csproj
@@ -201,7 +201,9 @@
     <Compile Include="Security\IFileStreamSecurityAnalyzer.cs" />
     <Compile Include="Security\IFileStreamSecurityValidator.cs" />
     <Compile Include="Security\IHtmlSanitizer.cs" />
+    <Compile Include="Security\IMarkdownSanitizer.cs" />
     <Compile Include="Security\NoopHtmlSanitizer.cs" />
+    <Compile Include="Security\NoopMarkdownSanitizer.cs" />
     <Compile Include="Serialization\AutoInterningStringConverter.cs" />
     <Compile Include="Serialization\AutoInterningStringKeyCaseInsensitiveDictionaryConverter.cs" />
     <Compile Include="PropertyEditors\EyeDropperColorPickerConfiguration.cs" />

diff --git a/src/Umbraco.Web/PropertyEditors/MarkDownPropertyValueEditor.cs b/src/Umbraco.Web/PropertyEditors/MarkDownPropertyValueEditor.cs
@@ -0,0 +1,29 @@
+using Umbraco.Core;
+using Umbraco.Core.Models.Editors;
+using Umbraco.Core.PropertyEditors;
+using Umbraco.Core.Security;
+
+namespace Umbraco.Web.PropertyEditors;
+
+internal class MarkDownPropertyValueEditor : DataValueEditor
+{
+    private readonly IMarkdownSanitizer _markdownSanitizer;
+
+    public MarkDownPropertyValueEditor(DataEditorAttribute attribute, IMarkdownSanitizer markdownSanitizer) : base(attribute)
+    {
+        _markdownSanitizer = markdownSanitizer;
+    }
+
+    public override object FromEditor(ContentPropertyData editorValue, object currentValue)
+    {
+        var editorValueString = editorValue.Value?.ToString();
+        if (string.IsNullOrWhiteSpace(editorValueString))
+        {
+            return null;
+        }
+
+        var sanitized = _markdownSanitizer.Sanitize(editorValueString);
+
+        return sanitized.NullOrWhiteSpaceAsNull();
+    }
+}
diff --git a/src/Umbraco.Web/PropertyEditors/MarkdownPropertyEditor.cs b/src/Umbraco.Web/PropertyEditors/MarkdownPropertyEditor.cs
@@ -1,6 +1,7 @@
 using Umbraco.Core;
 using Umbraco.Core.Logging;
 using Umbraco.Core.PropertyEditors;
+using Umbraco.Core.Security;
 
 namespace Umbraco.Web.PropertyEditors
 {
@@ -16,14 +17,24 @@ namespace Umbraco.Web.PropertyEditors
         Icon = "icon-code")]
     public class MarkdownPropertyEditor : DataEditor
     {
+        private readonly IMarkdownSanitizer _markdownSanitizer;
+
         /// <summary>
         /// Initializes a new instance of the <see cref="MarkdownPropertyEditor"/> class.
         /// </summary>
-        public MarkdownPropertyEditor(ILogger logger)
+        public MarkdownPropertyEditor(ILogger logger, IMarkdownSanitizer markdownSanitizer)
             : base(logger)
-        { }
+        {
+            _markdownSanitizer = markdownSanitizer;
+        }
 
         /// <inheritdoc />
         protected override IConfigurationEditor CreateConfigurationEditor() => new MarkdownConfigurationEditor();
+
+        /// <summary>
+        ///     Create a custom value editor
+        /// </summary>
+        /// <returns></returns>
+        protected override IDataValueEditor CreateValueEditor() => new MarkDownPropertyValueEditor(Attribute, _markdownSanitizer);
     }
 }
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -288,6 +288,7 @@
     <Compile Include="PropertyEditors\ComplexEditorValidator.cs" />
     <Compile Include="PropertyEditors\FileUploadConfiguration.cs" />
     <Compile Include="PropertyEditors\FileUploadConfigurationEditor.cs" />
+    <Compile Include="PropertyEditors\MarkDownPropertyValueEditor.cs" />
     <Compile Include="PropertyEditors\MediaPicker3Configuration.cs" />
     <Compile Include="PropertyEditors\MediaPicker3ConfigurationEditor.cs" />
     <Compile Include="PropertyEditors\MediaPicker3PropertyEditor.cs" />