We have moved to GitHub Issues
Created by Arnold Visser 08 Dec 2016, 12:57:18 Updated by Shannon Deminick 16 Oct 2017, 06:02:58
Is duplicated by: U4-9263
Relates to: U4-9263
Relates to: U4-10539
Subtask of: UAASSCRUM-721
The fix for issue http://issues.umbraco.org/issue/U4-9134, caused rgba() values set as background color on the grid to get stripped of the () and therefore not working anymore, since that produces broken css output in the style.
This seems to be a breaking change in the 7.5.5/6 update.
PR is here: https://github.com/umbraco/Umbraco-CMS/pull/1653
Instead of stripping characters as was done in http://issues.umbraco.org/issue/U4-9134 we are encoding characters correctly.
For Attribute encoding we use the build in ASP.NET
HttpUtility.HtmlAttributeEncode which is made specifically for this with double quotes: https://msdn.microsoft.com/en-us/library/wdek0zbf(v=vs.110).aspx (cannot be used for single quote attributes). The changes I've made are specifically for double quoted html attributes.
I've also ensure that the URI submitted for embedding things in the grid is validated before trying to send a request and I've changed the textstring xss logic to htmlencode the string instead of stripping strings out of it.
Hi @Shandem and @claus
Today i did run into an problem with the "CleanForXss", so i hope it's okay i comment on here .. :) In the grid, there is the "Headline" that makes an H1, and when the text for an example is,
"We'll help you & support you"
It will remove the "&" in the text.
So i went into thee Textstring.cshtml file (Views\Partials\Grid\Editors) and saw there was the CleanForXss, so after some debugging i tried to remove the function and then it didn't removed the "&" :)
So i changed this
markup = markup.Replace("#value#", UmbracoHelper.ReplaceLineBreaksForHtml(TemplateUtilities.CleanForXss(Model.value.ToString())));
markup = markup.Replace("#value#", UmbracoHelper.ReplaceLineBreaksForHtml(Model.value.ToString()));
@andersbrohus please always say what version you are using. Have you tested this in 7.5.7 because we don't use CleanForXss for this anymore
Oh sorry @Shandem :) It was on 7.5.6 :)
I haven't upgraded to 7.5.7 :)
Backwards Compatible: True
Affected versions: 7.5.5, 7.5.6
Due in version: 7.5.7
Sprint: Sprint 49
Story Points: 1.5