~jpgleeson/caint

ae9ded011bd33e6cda307c4cbcb7930d3ed6d126 — jpgleeson 1 year, 5 months ago 78b029c
FIX: Sanitizing HTML

Doing it both through the javascript and then also on the server.
3 files changed, 8 insertions(+), 3 deletions(-)

M Controllers/CommentsController.cs
M caint.csproj
M wwwroot/js/caint.js
M Controllers/CommentsController.cs => Controllers/CommentsController.cs +3 -1
@@ 8,6 8,7 @@ using Microsoft.AspNetCore.Cors;
using Microsoft.EntityFrameworkCore;
using caint.Data;
using caint.Models;
using Ganss.XSS;

namespace caint.Controllers
{


@@ 138,11 139,12 @@ namespace caint.Controllers
        [HttpPost]
        public async Task<ActionResult<CommentDTO>> PostComment(CommentDTO commentDTO)
        {
            var sanitizer = new HtmlSanitizer();
            var comment = new Comment
            {
                approved = false,
                name = commentDTO.name,
                body = commentDTO.body,
                body = sanitizer.Sanitize(commentDTO.body),
                threadId = commentDTO.threadId
            };


M caint.csproj => caint.csproj +1 -0
@@ 5,6 5,7 @@
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="HTMLSanitizer" Version="5.0.376" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="5.0.0" NoWarn="NU1605" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="5.0.0" NoWarn="NU1605" />
    <PackageReference Include="Microsoft.AspNetCore.Cors" Version="2.2.0" />

M wwwroot/js/caint.js => wwwroot/js/caint.js +4 -2
@@ 93,6 93,8 @@ function approveItem(id) {
      .catch(error => console.error('Unable to approve comments.', error));
}

var sanitizeHTML = function (str) { return str.replace(/[^\w. ]/gi, function (c) { return '&#' + c.charCodeAt(0) + ';'; }); };

function closeInput() {
  document.getElementById('editForm').style.display = 'none';
}


@@ 124,8 126,8 @@ function _displayThread(data) {
    commentName.setAttribute('class', 'commenterName');
    commentBody.setAttribute('class', 'commentBody');

    commentName.innerHTML = item.name;
    commentBody.innerHTML = item.body;
    commentName.innerHTML = sanitizeHTML(item.name);
    commentBody.innerHTML = sanitizeHTML(item.body);

    commentDiv.appendChild(commentName);
    commentDiv.appendChild(commentBody);