U4-9262 - CleanForXss breaks rgba() values set as grid background color style

Created by Arnold Visser 08 Dec 2016, 12:57:18 Updated by Shannon Deminick 16 Oct 2017, 06:02:58

Is duplicated by: U4-9263

Relates to: U4-9263

Relates to: U4-10539

Subtask of: UAASSCRUM-721

The fix for issue http://issues.umbraco.org/issue/U4-9134, caused rgba() values set as background color on the grid to get stripped of the () and therefore not working anymore, since that produces broken css output in the style.

This seems to be a breaking change in the 7.5.5/6 update.

This line is causing this: https://github.com/umbraco/Umbraco-CMS/blob/26a04ca7e91750a796c753f2f071cb1af8045cb1/src/Umbraco.Core/StringExtensions.cs#L179

Comments

Shannon Deminick 20 Dec 2016, 02:31:36

PR is here: https://github.com/umbraco/Umbraco-CMS/pull/1653

Instead of stripping characters as was done in http://issues.umbraco.org/issue/U4-9134 we are encoding characters correctly.

For Attribute encoding we use the build in ASP.NET HttpUtility.HtmlAttributeEncode which is made specifically for this with double quotes: https://msdn.microsoft.com/en-us/library/wdek0zbf(v=vs.110).aspx (cannot be used for single quote attributes). The changes I've made are specifically for double quoted html attributes.

I've also ensure that the URI submitted for embedding things in the grid is validated before trying to send a request and I've changed the textstring xss logic to htmlencode the string instead of stripping strings out of it.


Claus Jensen 20 Dec 2016, 09:32:45

Merged :)


Anders Brohus 12 Jan 2017, 13:30:13

Hi @Shandem and @claus

Today i did run into an problem with the "CleanForXss", so i hope it's okay i comment on here .. :) In the grid, there is the "Headline" that makes an H1, and when the text for an example is,

"We'll help you & support you"

It will remove the "&" in the text.

So i went into thee Textstring.cshtml file (Views\Partials\Grid\Editors) and saw there was the CleanForXss, so after some debugging i tried to remove the function and then it didn't removed the "&" :)

So i changed this

markup = markup.Replace("#value#", UmbracoHelper.ReplaceLineBreaksForHtml(TemplateUtilities.CleanForXss(Model.value.ToString())));

Into this

markup = markup.Replace("#value#", UmbracoHelper.ReplaceLineBreaksForHtml(Model.value.ToString()));


Shannon Deminick 12 Jan 2017, 13:32:54

@andersbrohus please always say what version you are using. Have you tested this in 7.5.7 because we don't use CleanForXss for this anymore


Anders Brohus 12 Jan 2017, 14:02:49

Oh sorry @Shandem :) It was on 7.5.6 :)

I haven't upgraded to 7.5.7 :)


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.5.5, 7.5.6

Due in version: 7.5.7

Sprint: Sprint 49

Story Points: 1.5

Cycle: