M => +3 -1
@@ 8,6 8,7 @@ using Microsoft.AspNetCore.Cors;
using Microsoft.EntityFrameworkCore;
using caint.Data;
using caint.Models;
using Ganss.XSS;
namespace caint.Controllers
{
@@ 138,11 139,12 @@ namespace caint.Controllers
[HttpPost]
public async Task<ActionResult<CommentDTO>> PostComment(CommentDTO commentDTO)
{
var sanitizer = new HtmlSanitizer();
var comment = new Comment
{
approved = false,
name = commentDTO.name,
body = commentDTO.body,
body = sanitizer.Sanitize(commentDTO.body),
threadId = commentDTO.threadId
};
M caint.csproj => caint.csproj +1 -0
@@ 5,6 5,7 @@
</PropertyGroup>
<ItemGroup>
+ <PackageReference Include="HTMLSanitizer" Version="5.0.376" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="5.0.0" NoWarn="NU1605" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="5.0.0" NoWarn="NU1605" />
<PackageReference Include="Microsoft.AspNetCore.Cors" Version="2.2.0" />
M wwwroot/js/caint.js => wwwroot/js/caint.js +4 -2
@@ 93,6 93,8 @@ function approveItem(id) {
.catch(error => console.error('Unable to approve comments.', error));
}
+var sanitizeHTML = function (str) { return str.replace(/[^\w. ]/gi, function (c) { return '&#' + c.charCodeAt(0) + ';'; }); };
+
function closeInput() {
document.getElementById('editForm').style.display = 'none';
}
@@ 124,8 126,8 @@ function _displayThread(data) {
commentName.setAttribute('class', 'commenterName');
commentBody.setAttribute('class', 'commentBody');
- commentName.innerHTML = item.name;
- commentBody.innerHTML = item.body;
+ commentName.innerHTML = sanitizeHTML(item.name);
+ commentBody.innerHTML = sanitizeHTML(item.body);
commentDiv.appendChild(commentName);
commentDiv.appendChild(commentBody);