Skip to content

Commit 41865c6

Browse files
bdukesbdukes
committed
Ensure text injected into JS strings is encoded
1 parent eef57f9 commit 41865c6

22 files changed

Lines changed: 282 additions & 271 deletions

File tree

DNN Platform/Admin Modules/Dnn.Modules.Console/ViewConsole.ascx.cs

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ namespace Dnn.Modules.Console
99
using System.IO;
1010
using System.Linq;
1111
using System.Text;
12+
using System.Web;
1213
using System.Web.UI.WebControls;
1314

1415
using Dnn.Modules.Console.Components;
@@ -389,11 +390,11 @@ protected string GetClientSideSettings()
389390
}
390391

391392
return string.Format(
392-
"allowIconSizeChange: {0}, allowDetailChange: {1}, selectedSize: '{2}', showDetails: '{3}', tabModuleID: {4}, showTooltip: {5}",
393+
"allowIconSizeChange: {0}, allowDetailChange: {1}, selectedSize: {2}, showDetails: {3}, tabModuleID: {4}, showTooltip: {5}",
393394
this.AllowSizeChange.ToString(CultureInfo.InvariantCulture).ToLowerInvariant(),
394395
this.AllowViewChange.ToString(CultureInfo.InvariantCulture).ToLowerInvariant(),
395-
this.DefaultSize,
396-
this.DefaultView,
396+
HttpUtility.JavaScriptStringEncode(this.DefaultSize, addDoubleQuotes: true),
397+
HttpUtility.JavaScriptStringEncode(this.DefaultView, addDoubleQuotes: true),
397398
tabModuleId,
398399
this.ShowTooltip.ToString(CultureInfo.InvariantCulture).ToLowerInvariant());
399400
}

DNN Platform/DotNetNuke.Web/Api/Auth/DigestAuthMessageHandler.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,7 @@ private void AddStaleWwwAuthenticateHeader(HttpResponseMessage response)
105105

106106
private void AddWwwAuthenticateHeader(HttpResponseMessage response, bool isStale = false)
107107
{
108-
var value = string.Format("realm=\"DNNAPI\", nonce=\"{0}\", opaque=\"0000000000000000\", stale={1}, algorithm=MD5, qop=\"auth\"", CreateNewNonce(), isStale);
108+
var value = $"realm=\"DNNAPI\", nonce=\"{CreateNewNonce()}\", opaque=\"0000000000000000\", stale={isStale}, algorithm=MD5, qop=\"auth\"";
109109
response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue(this.AuthScheme, value));
110110
}
111111

DNN Platform/DotNetNuke.Web/InternalServices/FileUploadController.cs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -545,9 +545,9 @@ private static FileUploadDto UploadFile(
545545
var filesCount = FileManager.Instance.UnzipFile(file, destinationFolder, invalidFiles);
546546

547547
var invalidFilesJson = invalidFiles.Count > 0
548-
? string.Format("\"{0}\"", string.Join("\",\"", invalidFiles))
548+
? string.Join(",", invalidFiles.Select(invalidFile => HttpUtility.JavaScriptStringEncode(invalidFile, addDoubleQuotes: true)))
549549
: string.Empty;
550-
result.Prompt = string.Format("{{\"invalidFiles\":[{0}], \"totalCount\": {1}}}", invalidFilesJson, filesCount);
550+
result.Prompt = $"{{\"invalidFiles\":[{invalidFilesJson}], \"totalCount\": {filesCount}}}";
551551
}
552552

553553
result.FileId = file.FileId;

DNN Platform/DotNetNuke.Web/InternalServices/ImageHeader.cs

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
1-
// Licensed to the .NET Foundation under one or more agreements.
2-
// The .NET Foundation licenses this file to you under the MIT license.
3-
// See the LICENSE file in the project root for more information
4-
1+
// Licensed to the .NET Foundation under one or more agreements.
2+
// The .NET Foundation licenses this file to you under the MIT license.
3+
// See the LICENSE file in the project root for more information
4+
55
namespace DotNetNuke.Web.InternalServices
66
{
77
using System;
88
using System.Collections.Generic;
99
using System.Drawing;
1010
using System.IO;
1111
using System.Linq;
12-
12+
1313
/// <summary>
1414
/// Taken from http://stackoverflow.com/questions/111345/getting-image-dimensions-without-reading-the-entire-file/111349
1515
/// Minor improvements including supporting unsigned 16-bit integers when decoding Jfif and added logic
@@ -46,8 +46,7 @@ public static Size GetDimensions(string path)
4646
}
4747
catch (ArgumentException e)
4848
{
49-
var newMessage = string.Format("{0} file: '{1}' ", ErrorMessage, path);
50-
throw new ArgumentException(newMessage, "path", e);
49+
throw new ArgumentException($"{ErrorMessage} file: '{path}' ", nameof(path), e);
5150
}
5251
}
5352
}

DNN Platform/DotNetNuke.Web/UI/Utilities.cs

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -267,7 +267,12 @@ public static string GetOnClientClickConfirm(Control ctrl, MessageWindowParamete
267267
AddMessageWindow(ctrl);
268268

269269
// function(text, mozEvent, oWidth, oHeight, callerObj, oTitle)
270-
return string.Format("return postBackConfirm('{0}', event, '{1}', '{2}', '', '{3}');", message.Message, message.WindowWidth, message.WindowHeight, message.Title);
270+
return string.Format(
271+
"return postBackConfirm({0}, event, {1}, {2}, '', {3});",
272+
HttpUtility.JavaScriptStringEncode(message.Message, addDoubleQuotes: true),
273+
HttpUtility.JavaScriptStringEncode(message.WindowWidth.ToString(), addDoubleQuotes: true),
274+
HttpUtility.JavaScriptStringEncode(message.WindowHeight.ToString(), addDoubleQuotes: true),
275+
HttpUtility.JavaScriptStringEncode(message.Title, addDoubleQuotes: true));
271276
}
272277

273278
public static string GetViewStateAsString(object value, string defaultValue)

DNN Platform/DotNetNuke.Web/UI/WebControls/Internal/DnnDatePicker.cs

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,19 @@
1-
// Licensed to the .NET Foundation under one or more agreements.
2-
// The .NET Foundation licenses this file to you under the MIT license.
3-
// See the LICENSE file in the project root for more information
1+
// Licensed to the .NET Foundation under one or more agreements.
2+
// The .NET Foundation licenses this file to you under the MIT license.
3+
// See the LICENSE file in the project root for more information
44
namespace DotNetNuke.Web.UI.WebControls.Internal
55
{
66
using System;
77
using System.Collections.Generic;
88
using System.Globalization;
9+
using System.Web;
910
using System.Web.UI;
1011
using System.Web.UI.WebControls;
11-
12+
1213
using DotNetNuke.Common.Utilities;
1314
using DotNetNuke.Framework.JavaScriptLibraries;
14-
using DotNetNuke.Web.Client.ClientResourceManagement;
15-
15+
using DotNetNuke.Web.Client.ClientResourceManagement;
16+
1617
/// <remarks>
1718
/// This control is only for internal use, please don't reference it in any other place as it may be removed in future.
1819
/// </remarks>
@@ -43,9 +44,9 @@ public DateTime? SelectedDate
4344

4445
protected virtual string Format => "yyyy-MM-dd";
4546

46-
protected virtual string ClientFormat => "YYYY-MM-DD";
47-
48-
/// <inheritdoc/>
47+
protected virtual string ClientFormat => "YYYY-MM-DD";
48+
49+
/// <inheritdoc/>
4950
protected override void OnPreRender(EventArgs e)
5051
{
5152
base.OnPreRender(e);
@@ -65,8 +66,8 @@ protected virtual IDictionary<string, object> GetSettings()
6566
{
6667
return new Dictionary<string, object>
6768
{
68-
{ "minDate", this.MinDate > DateTime.MinValue ? $"$new Date('{this.MinDate.ToString(this.Format, CultureInfo.InvariantCulture)}')$" : string.Empty },
69-
{ "maxDate", this.MaxDate > DateTime.MinValue ? $"$new Date('{this.MaxDate.ToString(this.Format, CultureInfo.InvariantCulture)}')$" : string.Empty },
69+
{ "minDate", this.MinDate > DateTime.MinValue ? $"$new Date({HttpUtility.JavaScriptStringEncode(this.MinDate.ToString(this.Format, CultureInfo.InvariantCulture), addDoubleQuotes: true)})$" : string.Empty },
70+
{ "maxDate", this.MaxDate > DateTime.MinValue ? $"$new Date({HttpUtility.JavaScriptStringEncode(this.MaxDate.ToString(this.Format, CultureInfo.InvariantCulture), addDoubleQuotes: true)})$" : string.Empty },
7071
{ "format", this.ClientFormat },
7172
};
7273
}

DNN Platform/DotNetNuke.Web/UI/WebControls/Internal/TermsSelector.cs

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,19 @@
1-
// Licensed to the .NET Foundation under one or more agreements.
2-
// The .NET Foundation licenses this file to you under the MIT license.
3-
// See the LICENSE file in the project root for more information
1+
// Licensed to the .NET Foundation under one or more agreements.
2+
// The .NET Foundation licenses this file to you under the MIT license.
3+
// See the LICENSE file in the project root for more information
44
namespace DotNetNuke.Web.UI.WebControls.Internal
55
{
66
using System;
77
using System.Collections.Generic;
88
using System.Linq;
9+
using System.Web;
910
using System.Web.UI.WebControls;
10-
11+
1112
using DotNetNuke.Entities.Content.Common;
1213
using DotNetNuke.Entities.Content.Taxonomy;
13-
14-
using Globals = DotNetNuke.Common.Globals;
15-
14+
15+
using Globals = DotNetNuke.Common.Globals;
16+
1617
/// <remarks>
1718
/// This control is only for internal use, please don't reference it in any other place as it may be removed in future.
1819
/// </remarks>
@@ -58,12 +59,12 @@ public List<Term> Terms
5859
this.Items.Clear();
5960
value.Select(t => new ListItem(t.Name, t.TermId.ToString()) { Selected = true }).ToList().ForEach(this.Items.Add);
6061
}
61-
}
62-
63-
/// <inheritdoc/>
64-
public override bool MultipleSelect { get; set; } = true;
65-
66-
/// <inheritdoc/>
62+
}
63+
64+
/// <inheritdoc/>
65+
public override bool MultipleSelect { get; set; } = true;
66+
67+
/// <inheritdoc/>
6768
protected override void OnInit(EventArgs e)
6869
{
6970
base.OnInit(e);
@@ -90,7 +91,7 @@ protected override void OnInit(EventArgs e)
9091

9192
this.Options.Load = $@"function(query, callback) {{
9293
$.ajax({{
93-
url: '{apiPath}' + encodeURIComponent(query),
94+
url: {HttpUtility.JavaScriptStringEncode(apiPath, addDoubleQuotes: true)} + encodeURIComponent(query),
9495
type: 'GET',
9596
error: function() {{
9697
callback();

DNN Platform/Library/Common/Utilities/Calendar.cs

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ namespace DotNetNuke.Common.Utilities
55
{
66
using System.Globalization;
77
using System.Text;
8+
using System.Web;
89
using System.Web.UI;
910
using System.Web.UI.WebControls;
1011

@@ -52,7 +53,16 @@ public static string InvokePopupCal(TextBox field)
5253
string strClose = ClientAPI.GetSafeJSString(Localization.GetString("Close"));
5354
string strCalendar = ClientAPI.GetSafeJSString(Localization.GetString("Calendar"));
5455
return
55-
$"javascript:popupCal('Cal','{field.ClientID}','{formatString}','{monthNameString}','{dayNameString}','{strToday}','{strClose}','{strCalendar}',{(int)DateTimeFormatInfo.CurrentInfo.FirstDayOfWeek});";
56+
string.Format(
57+
"javascript:popupCal('Cal',{0},{1},{2},{3},{4},{5},{6},{7});",
58+
HttpUtility.JavaScriptStringEncode(field.ClientID, addDoubleQuotes: true),
59+
HttpUtility.JavaScriptStringEncode(formatString, addDoubleQuotes: true),
60+
HttpUtility.JavaScriptStringEncode(monthNameString, addDoubleQuotes: true),
61+
HttpUtility.JavaScriptStringEncode(dayNameString, addDoubleQuotes: true),
62+
HttpUtility.JavaScriptStringEncode(strToday, addDoubleQuotes: true),
63+
HttpUtility.JavaScriptStringEncode(strClose, addDoubleQuotes: true),
64+
HttpUtility.JavaScriptStringEncode(strCalendar, addDoubleQuotes: true),
65+
(int)DateTimeFormatInfo.CurrentInfo.FirstDayOfWeek);
5666
}
5767
}
5868
}

DNN Platform/Library/Common/Utilities/UrlUtils.cs

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -232,7 +232,10 @@ public static bool IsSslOffloadEnabled(HttpRequest request)
232232

233233
public static void OpenNewWindow(Page page, Type type, string url)
234234
{
235-
page.ClientScript.RegisterStartupScript(type, "DotNetNuke.NewWindow", string.Format("<script>window.open('{0}','new')</script>", url));
235+
page.ClientScript.RegisterStartupScript(
236+
type,
237+
"DotNetNuke.NewWindow",
238+
$"<script>window.open({HttpUtility.JavaScriptStringEncode(url, addDoubleQuotes: true)},'new')</script>");
236239
}
237240

238241
public static string PopUpUrl(string url, Control control, PortalSettings portalSettings, bool onClickEvent, bool responseRedirect)
@@ -267,22 +270,20 @@ public static string PopUpUrl(string url, Control control, PortalSettings portal
267270
popUpUrl = popUpUrl.Replace("'", string.Empty);
268271
}
269272

270-
var delimiter = popUpUrl.Contains("?") ? "&" : "?";
271-
var popUpScriptFormat = string.Empty;
273+
var delimiter = popUpUrl.Contains("?") ? '&' : '?';
272274

273-
// create a the querystring for use on a Response.Redirect
275+
// create the querystring for use on a Response.Redirect
274276
if (responseRedirect)
275277
{
276-
popUpScriptFormat = "{0}{1}popUp=true";
277-
popUpUrl = string.Format(popUpScriptFormat, popUpUrl, delimiter);
278+
popUpUrl = $"{popUpUrl}{delimiter}popUp=true";
278279
}
279280
else
280281
{
281282
if (!popUpUrl.Contains("dnnModal.show"))
282283
{
283-
popUpScriptFormat = "dnnModal.show('{0}{1}popUp=true',/*showReturn*/{2},{3},{4},{5},'{6}')";
284284
closingUrl = (closingUrl != Null.NullString) ? closingUrl : string.Empty;
285-
popUpUrl = "javascript:" + string.Format(popUpScriptFormat, popUpUrl, delimiter, onClickEvent.ToString().ToLowerInvariant(), windowHeight, windowWidth, refresh.ToString().ToLower(), closingUrl);
285+
popUpUrl =
286+
$"javascript:dnnModal.show({HttpUtility.JavaScriptStringEncode(popUpUrl, addDoubleQuotes: true)} + '{delimiter}popUp=true',/*showReturn*/{onClickEvent.ToString().ToLowerInvariant()},{windowHeight},{windowWidth},{refresh.ToString().ToLower()},{HttpUtility.JavaScriptStringEncode(closingUrl, addDoubleQuotes: true)})";
286287
}
287288
else
288289
{

DNN Platform/Library/ExtensionPoints/ToolBarButtonRenderer.cs

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
namespace DotNetNuke.ExtensionPoints
66
{
77
using System.Text;
8-
8+
using System.Web;
99
using DotNetNuke.Common;
1010

1111
public class ToolBarButtonRenderer : IExtensionControlRenderer
@@ -29,15 +29,13 @@ public string GetOutput(IExtensionPoint extensionPoint)
2929
icon = Globals.ResolveUrl(icon);
3030
}
3131

32-
var quote = action.Contains("'") ? "\"" : "'";
3332
var str = new StringBuilder();
3433
str.AppendFormat(
35-
"<button id=\"{0}\" class=\"{1}\" onclick={4}{2}; return false;{4} title=\"{3}\">",
34+
"<button id=\"{0}\" class=\"{1}\" onclick=\"{2}\" title=\"{3}\">",
3635
extension.ButtonId,
3736
cssClass,
38-
action,
39-
extension.Text,
40-
quote);
37+
HttpUtility.HtmlAttributeEncode($"{action}; return false;"),
38+
extension.Text);
4139

4240
str.AppendFormat(
4341
"<span id='{0}_text' style='{1} background-image: url(\"{2}\");'>{3}</span>",

0 commit comments

Comments
 (0)