Browse Source
Merge pull request #24488 from abpframework/HTML-encode-TagHelper
HTML-encode TagHelper titles and texts for security
pull/24540/head
Gizem Mutu Kurt
1 month ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
18 changed files with
29 additions and
27 deletions
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Breadcrumb/AbpBreadcrumbItemTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Button/AbpButtonTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Button/AbpButtonTagHelperServiceBase.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Card/AbpCardBodyTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Carousel/AbpCarouselItemTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Collapse/AbpAccordionItemTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Collapse/AbpAccordionTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Form/AbpInputTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Form/AbpRadioInputTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Form/AbpSelectTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Form/DatePicker/AbpDatePickerBaseTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Modal/AbpModalHeaderTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Tab/AbpTabDropdownTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Tab/AbpTabLinkTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Tab/AbpTabTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Tab/AbpTabsTagHelperService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bundling/Volo/Abp/AspNetCore/Mvc/UI/Bundling/TagHelpers/AbpTagHelperScriptService.cs
-
framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bundling/Volo/Abp/AspNetCore/Mvc/UI/Bundling/TagHelpers/AbpTagHelperStyleService.cs
|
|
|
@ -1,4 +1,5 @@ |
|
|
|
using Microsoft.AspNetCore.Mvc.Rendering; |
|
|
|
using System; |
|
|
|
using Microsoft.AspNetCore.Mvc.Rendering; |
|
|
|
using Microsoft.AspNetCore.Razor.TagHelpers; |
|
|
|
using System.Collections.Generic; |
|
|
|
using System.Text.Encodings.Web; |
|
|
|
@ -41,12 +42,12 @@ public class AbpBreadcrumbItemTagHelperService : AbpTagHelperService<AbpBreadcru |
|
|
|
if (string.IsNullOrWhiteSpace(TagHelper.Href)) |
|
|
|
{ |
|
|
|
output.Attributes.Add("aria-current", "page"); |
|
|
|
return _encoder.Encode(TagHelper.Title); |
|
|
|
return _encoder.Encode(TagHelper.Title ?? string.Empty); |
|
|
|
} |
|
|
|
|
|
|
|
var link = new TagBuilder("a"); |
|
|
|
link.Attributes.Add("href", TagHelper.Href); |
|
|
|
link.InnerHtml.AppendHtml(TagHelper.Title); |
|
|
|
link.InnerHtml.Append(TagHelper.Title); |
|
|
|
return link.ToHtmlString(); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
@ -2,6 +2,7 @@ |
|
|
|
using Microsoft.AspNetCore.Razor.TagHelpers; |
|
|
|
using Microsoft.Extensions.Localization; |
|
|
|
using System; |
|
|
|
using System.Text.Encodings.Web; |
|
|
|
|
|
|
|
namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Button; |
|
|
|
|
|
|
|
|
|
|
|
@ -69,7 +69,7 @@ public abstract class AbpButtonTagHelperServiceBase<TTagHelper> : AbpTagHelperSe |
|
|
|
} |
|
|
|
|
|
|
|
var span = new TagBuilder("span"); |
|
|
|
span.InnerHtml.AppendHtml(TagHelper.Text!); |
|
|
|
span.InnerHtml.Append(TagHelper.Text!); |
|
|
|
output.Content.AppendHtml(span); |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
@ -22,7 +22,7 @@ public class AbpCardBodyTagHelperService : AbpTagHelperService<AbpCardBodyTagHel |
|
|
|
{ |
|
|
|
var cardTitle = new TagBuilder(AbpCardTitleTagHelper.DefaultHeading.ToHtmlTag()); |
|
|
|
cardTitle.AddCssClass("card-title"); |
|
|
|
cardTitle.InnerHtml.AppendHtml(TagHelper.Title!); |
|
|
|
cardTitle.InnerHtml.Append(TagHelper.Title!); |
|
|
|
output.PreContent.AppendHtml(cardTitle); |
|
|
|
} |
|
|
|
} |
|
|
|
@ -33,7 +33,7 @@ public class AbpCardBodyTagHelperService : AbpTagHelperService<AbpCardBodyTagHel |
|
|
|
{ |
|
|
|
var cardSubtitle = new TagBuilder(AbpCardSubtitleTagHelper.DefaultHeading.ToHtmlTag()); |
|
|
|
cardSubtitle.AddCssClass("card-subtitle mb-2"); |
|
|
|
cardSubtitle.InnerHtml.AppendHtml(TagHelper.Subtitle!); |
|
|
|
cardSubtitle.InnerHtml.Append(TagHelper.Subtitle!); |
|
|
|
output.PreContent.AppendHtml(cardSubtitle); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
@ -66,10 +66,10 @@ public class AbpCarouselItemTagHelperService : AbpTagHelperService<AbpCarouselIt |
|
|
|
} |
|
|
|
|
|
|
|
var title = new TagBuilder("h5"); |
|
|
|
title.InnerHtml.AppendHtml(TagHelper.CaptionTitle!); |
|
|
|
title.InnerHtml.Append(TagHelper.CaptionTitle!); |
|
|
|
|
|
|
|
var caption = new TagBuilder("p"); |
|
|
|
caption.InnerHtml.AppendHtml(TagHelper.Caption!); |
|
|
|
caption.InnerHtml.Append(TagHelper.Caption!); |
|
|
|
|
|
|
|
var wrapper = new TagBuilder("div"); |
|
|
|
wrapper.AddCssClass("carousel-caption d-none d-md-block"); |
|
|
|
|
|
|
|
@ -32,7 +32,7 @@ public class AbpAccordionItemTagHelperService : AbpTagHelperService<AbpAccordion |
|
|
|
button.Attributes.Add("data-bs-target", "#" + GetContentId()); |
|
|
|
button.Attributes.Add("aria-expanded", "true"); |
|
|
|
button.Attributes.Add("aria-controls", GetContentId()); |
|
|
|
button.InnerHtml.AppendHtml(TagHelper.Title); |
|
|
|
button.InnerHtml.Append(TagHelper.Title); |
|
|
|
|
|
|
|
var h5 = new TagBuilder("h5"); |
|
|
|
h5.AddCssClass("mb-0"); |
|
|
|
|
|
|
|
@ -37,7 +37,7 @@ public class AbpAccordionTagHelperService : AbpTagHelperService<AbpAccordionTagH |
|
|
|
{ |
|
|
|
foreach (var item in items) |
|
|
|
{ |
|
|
|
var content = item.Replace(AbpAccordionParentIdPlaceholder, HtmlGenerator.Encode(TagHelper.Id)); |
|
|
|
var content = item.Replace(AbpAccordionParentIdPlaceholder, HtmlGenerator.Encode(TagHelper.Id ?? string.Empty)); |
|
|
|
|
|
|
|
var wrapper = new TagBuilder("div"); |
|
|
|
wrapper.AddCssClass("card"); |
|
|
|
|
|
|
|
@ -287,7 +287,7 @@ public class AbpInputTagHelperService : AbpTagHelperService<AbpInputTagHelper> |
|
|
|
|
|
|
|
var label = new TagBuilder("label"); |
|
|
|
label.Attributes.Add("for", GetIdAttributeValue(inputTag)); |
|
|
|
label.InnerHtml.AppendHtml(_encoder.Encode(TagHelper.Label)); |
|
|
|
label.InnerHtml.Append(TagHelper.Label); |
|
|
|
|
|
|
|
label.AddCssClass(isCheckbox ? "form-check-label" : "form-label"); |
|
|
|
|
|
|
|
|
|
|
|
@ -74,7 +74,7 @@ public class AbpRadioInputTagHelperService : AbpTagHelperService<AbpRadioInputTa |
|
|
|
var label = new TagBuilder("label"); |
|
|
|
label.AddCssClass("form-check-label"); |
|
|
|
label.Attributes.Add("for", id); |
|
|
|
label.InnerHtml.AppendHtml(selectItem.Text); |
|
|
|
label.InnerHtml.Append(selectItem.Text); |
|
|
|
|
|
|
|
var wrapper = new TagBuilder("div"); |
|
|
|
wrapper.AddCssClass("form-check" + inlineClass); |
|
|
|
|
|
|
|
@ -187,7 +187,7 @@ public class AbpSelectTagHelperService : AbpTagHelperService<AbpSelectTagHelper> |
|
|
|
var label = new TagBuilder("label"); |
|
|
|
label.AddCssClass("form-label"); |
|
|
|
label.Attributes.Add("for", GetIdAttributeValue(selectTag)); |
|
|
|
label.InnerHtml.AppendHtml(_encoder.Encode(TagHelper.Label)); |
|
|
|
label.InnerHtml.Append(TagHelper.Label); |
|
|
|
label.InnerHtml.AppendHtml(GetRequiredSymbol(context, output)); |
|
|
|
|
|
|
|
return label.ToHtmlString(); |
|
|
|
|
|
|
|
@ -556,7 +556,7 @@ public abstract class AbpDatePickerBaseTagHelperService<TTagHelper> : AbpTagHelp |
|
|
|
|
|
|
|
var label = new TagBuilder("label"); |
|
|
|
label.Attributes.Add("for", GetIdAttributeValue(inputTag)); |
|
|
|
label.InnerHtml.AppendHtml(Encoder.Encode(TagHelper.Label)); |
|
|
|
label.InnerHtml.Append(TagHelper.Label); |
|
|
|
|
|
|
|
label.AddCssClass("form-label"); |
|
|
|
|
|
|
|
|
|
|
|
@ -27,7 +27,7 @@ public class AbpModalHeaderTagHelperService : AbpTagHelperService<AbpModalHeader |
|
|
|
{ |
|
|
|
var title = new TagBuilder("h5"); |
|
|
|
title.AddCssClass("modal-title"); |
|
|
|
title.InnerHtml.AppendHtml(TagHelper.Title); |
|
|
|
title.InnerHtml.Append(TagHelper.Title); |
|
|
|
|
|
|
|
return title.ToHtmlString(); |
|
|
|
} |
|
|
|
|
|
|
|
@ -40,7 +40,7 @@ public class AbpTabDropdownTagHelperService : AbpTagHelperService<AbpTabDropdown |
|
|
|
anchor.Attributes.Add("role", "button"); |
|
|
|
anchor.Attributes.Add("aria-haspopup", "true"); |
|
|
|
anchor.Attributes.Add("aria-expanded", "false"); |
|
|
|
anchor.InnerHtml.AppendHtml(title); |
|
|
|
anchor.InnerHtml.Append(title); |
|
|
|
|
|
|
|
var menu = new TagBuilder("div"); |
|
|
|
menu.AddCssClass("dropdown-menu"); |
|
|
|
|
|
|
|
@ -35,7 +35,7 @@ public class AbpTabLinkTagHelperService : AbpTagHelperService<AbpTabLinkTagHelpe |
|
|
|
anchor.AddCssClass("dropdown-item"); |
|
|
|
anchor.Attributes.Add("id", id); |
|
|
|
anchor.Attributes.Add("href", href); |
|
|
|
anchor.InnerHtml.AppendHtml(title); |
|
|
|
anchor.InnerHtml.Append(title); |
|
|
|
|
|
|
|
return anchor.ToHtmlString(); |
|
|
|
} |
|
|
|
@ -45,7 +45,7 @@ public class AbpTabLinkTagHelperService : AbpTagHelperService<AbpTabLinkTagHelpe |
|
|
|
anchor.AddCssClass("nav-link " + AbpTabItemActivePlaceholder); |
|
|
|
anchor.Attributes.Add("id", id); |
|
|
|
anchor.Attributes.Add("href", href); |
|
|
|
anchor.InnerHtml.AppendHtml(title); |
|
|
|
anchor.InnerHtml.Append(title); |
|
|
|
|
|
|
|
var listItem = new TagBuilder("li"); |
|
|
|
listItem.AddCssClass("nav-item"); |
|
|
|
|
|
|
|
@ -53,7 +53,7 @@ public class AbpTabTagHelperService : AbpTagHelperService<AbpTabTagHelper> |
|
|
|
anchor.Attributes.Add(attr.Name, attr.Value.ToString()); |
|
|
|
} |
|
|
|
|
|
|
|
anchor.InnerHtml.AppendHtml(title); |
|
|
|
anchor.InnerHtml.Append(title); |
|
|
|
|
|
|
|
return anchor.ToHtmlString(); |
|
|
|
} |
|
|
|
@ -73,7 +73,7 @@ public class AbpTabTagHelperService : AbpTagHelperService<AbpTabTagHelper> |
|
|
|
anchor.Attributes.Add(attr.Name, attr.Value.ToString()); |
|
|
|
} |
|
|
|
|
|
|
|
anchor.InnerHtml.AppendHtml(title); |
|
|
|
anchor.InnerHtml.Append(title); |
|
|
|
|
|
|
|
var listItem = new TagBuilder("li"); |
|
|
|
listItem.AddCssClass("nav-item"); |
|
|
|
|
|
|
|
@ -225,6 +225,6 @@ public class AbpTabsTagHelperService : AbpTagHelperService<AbpTabsTagHelper> |
|
|
|
|
|
|
|
protected virtual string SetTabItemNameIfNotProvided(string content, int index) |
|
|
|
{ |
|
|
|
return content.Replace(TabItemNamePlaceHolder, HtmlGenerator.Encode(TagHelper.Name) + "_" + index); |
|
|
|
return content.Replace(TabItemNamePlaceHolder, HtmlGenerator.Encode(TagHelper.Name ?? string.Empty) + "_" + index); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
@ -19,9 +19,9 @@ public class AbpTagHelperScriptService : AbpTagHelperResourceService |
|
|
|
IBundleManager bundleManager, |
|
|
|
IOptions<AbpBundlingOptions> options, |
|
|
|
IWebHostEnvironment hostingEnvironment) : base( |
|
|
|
bundleManager, |
|
|
|
options, |
|
|
|
hostingEnvironment) |
|
|
|
bundleManager, |
|
|
|
options, |
|
|
|
hostingEnvironment) |
|
|
|
{ |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
@ -22,9 +22,9 @@ public class AbpTagHelperStyleService : AbpTagHelperResourceService |
|
|
|
IOptions<AbpBundlingOptions> options, |
|
|
|
IWebHostEnvironment hostingEnvironment, |
|
|
|
IOptions<AbpSecurityHeadersOptions> securityHeadersOptions) : base( |
|
|
|
bundleManager, |
|
|
|
options, |
|
|
|
hostingEnvironment) |
|
|
|
bundleManager, |
|
|
|
options, |
|
|
|
hostingEnvironment) |
|
|
|
{ |
|
|
|
SecurityHeadersOptions = securityHeadersOptions.Value; |
|
|
|
} |
|
|
|
|
