From f3584cec48bfbebd136a06cd731d712c9a8d6d35 Mon Sep 17 00:00:00 2001 From: Enis Necipoglu Date: Mon, 1 Aug 2022 13:54:29 +0300 Subject: [PATCH 1/2] Separate html encoding & sanitizing for CmsKit MarkdownRenderer --- .../Commenting/CommentingViewComponent.cs | 4 ++-- .../Pages/Public/CmsKit/Blogs/BlogPost.cshtml | 14 +++++++------- .../Renderers/IMarkdownToHtmlRenderer.cs | 2 +- .../Renderers/MarkdownToHtmlRenderer.cs | 4 ++-- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/CmsKit/Shared/Components/Commenting/CommentingViewComponent.cs b/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/CmsKit/Shared/Components/Commenting/CommentingViewComponent.cs index 0a608740e9..8c307e390e 100644 --- a/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/CmsKit/Shared/Components/Commenting/CommentingViewComponent.cs +++ b/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/CmsKit/Shared/Components/Commenting/CommentingViewComponent.cs @@ -65,12 +65,12 @@ public class CommentingViewComponent : AbpViewComponent foreach (var comment in viewModel.Comments) { viewModel.RawCommentTexts.Add(comment.Id, comment.Text); - comment.Text = await MarkdownToHtmlRenderer.RenderAsync(comment.Text, true); + comment.Text = await MarkdownToHtmlRenderer.RenderAsync(comment.Text, allowHtmlTags: false, preventXSS: true); foreach (var reply in comment.Replies) { viewModel.RawCommentTexts.Add(reply.Id, reply.Text); - reply.Text = await MarkdownToHtmlRenderer.RenderAsync(reply.Text, true); + reply.Text = await MarkdownToHtmlRenderer.RenderAsync(reply.Text, allowHtmlTags: false, preventXSS: true); } } } diff --git a/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/Public/CmsKit/Blogs/BlogPost.cshtml b/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/Public/CmsKit/Blogs/BlogPost.cshtml index 2cff5c9072..d9f7ce7953 100644 --- a/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/Public/CmsKit/Blogs/BlogPost.cshtml +++ b/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/Public/CmsKit/Blogs/BlogPost.cshtml @@ -72,7 +72,7 @@ { if (contentFragment.Type == ContentConsts.Markdown) { - @Html.Raw(await MarkdownRenderer.RenderAsync(contentFragment.GetProperty("Content"))) + @Html.Raw(await MarkdownRenderer.RenderAsync(contentFragment.GetProperty("Content"), allowHtmlTags: true, preventXSS: true)) } else if (contentFragment.Type == ContentConsts.Widget) { @@ -92,13 +92,13 @@ if (Model.TagsFeature?.IsEnabled == true) { @await Component.InvokeAsync(typeof(TagViewComponent), new - { - entityType = Volo.CmsKit.Blogs.BlogPostConsts.EntityType, - entityId = Model.BlogPost.Id.ToString(), - urlFormat = $"/blogs/{Model.BlogSlug}?tagId={{TagId}}" - }) + { + entityType = Volo.CmsKit.Blogs.BlogPostConsts.EntityType, + entityId = Model.BlogPost.Id.ToString(), + urlFormat = $"/blogs/{Model.BlogSlug}?tagId={{TagId}}" + }) + } } - } diff --git a/modules/cms-kit/src/Volo.CmsKit.Public.Web/Renderers/IMarkdownToHtmlRenderer.cs b/modules/cms-kit/src/Volo.CmsKit.Public.Web/Renderers/IMarkdownToHtmlRenderer.cs index d11e76f6dd..0dd60f34c5 100644 --- a/modules/cms-kit/src/Volo.CmsKit.Public.Web/Renderers/IMarkdownToHtmlRenderer.cs +++ b/modules/cms-kit/src/Volo.CmsKit.Public.Web/Renderers/IMarkdownToHtmlRenderer.cs @@ -4,5 +4,5 @@ namespace Volo.CmsKit.Public.Web.Renderers; public interface IMarkdownToHtmlRenderer { - Task RenderAsync(string rawMarkdown, bool preventXSS = true); + Task RenderAsync(string rawMarkdown, bool allowHtmlTags = true, bool preventXSS = true); } diff --git a/modules/cms-kit/src/Volo.CmsKit.Public.Web/Renderers/MarkdownToHtmlRenderer.cs b/modules/cms-kit/src/Volo.CmsKit.Public.Web/Renderers/MarkdownToHtmlRenderer.cs index b6fab3c008..a1e30a2679 100644 --- a/modules/cms-kit/src/Volo.CmsKit.Public.Web/Renderers/MarkdownToHtmlRenderer.cs +++ b/modules/cms-kit/src/Volo.CmsKit.Public.Web/Renderers/MarkdownToHtmlRenderer.cs @@ -20,9 +20,9 @@ public class MarkdownToHtmlRenderer : IMarkdownToHtmlRenderer, ITransientDepende _htmlSanitizer = new HtmlSanitizer(); } - public async Task RenderAsync(string rawMarkdown, bool preventXSS = false) + public async Task RenderAsync(string rawMarkdown, bool allowHtmlTags = true, bool preventXSS = true) { - if (preventXSS) + if (!allowHtmlTags) { rawMarkdown = EncodeHtmlTags(rawMarkdown, true); } From d911b0a00c4f27f8065a739a8fe1a0b55b7136b5 Mon Sep 17 00:00:00 2001 From: Enis Necipoglu Date: Mon, 1 Aug 2022 14:04:58 +0300 Subject: [PATCH 2/2] Update Index.cshtml --- .../Pages/Public/CmsKit/Pages/Index.cshtml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/Public/CmsKit/Pages/Index.cshtml b/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/Public/CmsKit/Pages/Index.cshtml index 2aa3c0ce8b..4ecfa480d0 100644 --- a/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/Public/CmsKit/Pages/Index.cshtml +++ b/modules/cms-kit/src/Volo.CmsKit.Public.Web/Pages/Public/CmsKit/Pages/Index.cshtml @@ -34,7 +34,7 @@ { if (contentFragment.Type == ContentConsts.Markdown) { - @Html.Raw(await MarkdownRenderer.RenderAsync(contentFragment.GetProperty("Content"))) + @Html.Raw(await MarkdownRenderer.RenderAsync(contentFragment.GetProperty("Content"), allowHtmlTags: true, preventXSS: true)) } else if (contentFragment.Type == ContentConsts.Widget) {