Skip to content

Commit

Permalink
Merge pull request from GHSA-gvpc-3pj6-4m9w
Browse files Browse the repository at this point in the history
* Add MarkDownPropertyValueEditor with html sanitizer

* Implement IMarkdownSanitizer.
  • Loading branch information
Zeegaan authored Feb 6, 2024
1 parent 6b80678 commit d090176
Show file tree
Hide file tree
Showing 5 changed files with 71 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/Umbraco.Core/DependencyInjection/UmbracoBuilder.cs
Original file line number Diff line number Diff line change
Expand Up @@ -317,8 +317,9 @@ private void AddCoreServices()
Services.AddSingleton<ConflictingPackageData>();
Services.AddSingleton<CompiledPackageXmlParser>();

// Register a noop IHtmlSanitizer to be replaced
// Register a noop IHtmlSanitizer & IMarkdownSanitizer to be replaced
Services.AddUnique<IHtmlSanitizer, NoopHtmlSanitizer>();
Services.AddUnique<IMarkdownSanitizer, NoopMarkdownSanitizer>();

Services.AddUnique<IPropertyTypeUsageService, PropertyTypeUsageService>();
Services.AddUnique<IDataTypeUsageService, DataTypeUsageService>();
Expand Down
39 changes: 39 additions & 0 deletions src/Umbraco.Core/PropertyEditors/MarkDownPropertyValueEditor.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
using Umbraco.Cms.Core.IO;
using Umbraco.Cms.Core.Models.Editors;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Core.Serialization;
using Umbraco.Cms.Core.Services;
using Umbraco.Cms.Core.Strings;
using Umbraco.Extensions;

namespace Umbraco.Cms.Core.PropertyEditors;

/// <summary>
/// A custom value editor to ensure that macro syntax is parsed when being persisted and formatted correctly for
/// display in the editor
/// </summary>
internal class MarkDownPropertyValueEditor : DataValueEditor
{
private readonly IMarkdownSanitizer _markdownSanitizer;

public MarkDownPropertyValueEditor(
ILocalizedTextService localizedTextService,
IShortStringHelper shortStringHelper,
IJsonSerializer jsonSerializer,
IIOHelper ioHelper,
DataEditorAttribute attribute,
IMarkdownSanitizer markdownSanitizer)
: base(localizedTextService, shortStringHelper, jsonSerializer, ioHelper, attribute) => _markdownSanitizer = markdownSanitizer;

public override object? FromEditor(ContentPropertyData editorValue, object? currentValue)
{
if (string.IsNullOrWhiteSpace(editorValue.Value?.ToString()))
{
return null;
}

var sanitized = _markdownSanitizer.Sanitize(editorValue.Value.ToString()!);

return sanitized.NullOrWhiteSpaceAsNull();
}
}
8 changes: 8 additions & 0 deletions src/Umbraco.Core/PropertyEditors/MarkdownPropertyEditor.cs
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
using Microsoft.Extensions.DependencyInjection;
using Umbraco.Cms.Core.DependencyInjection;
using Umbraco.Cms.Core.IO;
using Umbraco.Cms.Core.Models;
using Umbraco.Cms.Core.Services;

namespace Umbraco.Cms.Core.PropertyEditors;
Expand Down Expand Up @@ -50,4 +51,11 @@ public MarkdownPropertyEditor(
/// <inheritdoc />
protected override IConfigurationEditor CreateConfigurationEditor() =>
new MarkdownConfigurationEditor(_ioHelper, _editorConfigurationParser);

/// <summary>
/// Create a custom value editor
/// </summary>
/// <returns></returns>
protected override IDataValueEditor CreateValueEditor() =>
DataValueEditorFactory.Create<MarkDownPropertyValueEditor>(Attribute!);
}
14 changes: 14 additions & 0 deletions src/Umbraco.Core/Security/IMarkdownSanitizer.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
namespace Umbraco.Cms.Core.Security;

/// <summary>
/// Sanitizer service for the markdown editor.
/// </summary>
public interface IMarkdownSanitizer
{
/// <summary>
/// Sanitizes Markdown
/// </summary>
/// <param name="markdown">Markdown to be sanitized</param>
/// <returns>Sanitized Markdown</returns>
string Sanitize(string markdown);
}
8 changes: 8 additions & 0 deletions src/Umbraco.Core/Security/NoopMarkdownSanitizer.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
namespace Umbraco.Cms.Core.Security;

/// <inheritdoc />
public class NoopMarkdownSanitizer : IMarkdownSanitizer
{
/// <inheritdoc />
public string Sanitize(string markdown) => markdown;
}

0 comments on commit d090176

Please # to comment.