Fixes #9615 - Upgrade to Htmlsanitizer v5 (#9856)

nzdev · nul800sebastiaan · commit 16573446dbb3 · 2021-03-09T13:54:45.000+01:00
diff --git a/build/NuSpecs/UmbracoCms.Web.nuspec b/build/NuSpecs/UmbracoCms.Web.nuspec
@@ -42,7 +42,7 @@
                 <dependency id="Microsoft.Owin.Security.Cookies" version="[4.0.1,4.999999)" />
                 <dependency id="Microsoft.Owin.Security.OAuth" version="[4.0.1,4.999999)" />
                 <dependency id="System.Threading.Tasks.Dataflow" version="[4.9.0,4.999999)" />
-                <dependency id="HtmlSanitizer" version="[4.0.217,4.999999)" />
+                <dependency id="HtmlSanitizer" version="[5.0.376,5.999999)" />
 
             </group>
 
diff --git a/src/Umbraco.Web/Runtime/WebInitialComposer.cs b/src/Umbraco.Web/Runtime/WebInitialComposer.cs
@@ -40,6 +40,7 @@
 using Umbraco.Web.PropertyEditors;
 using Umbraco.Core.Models;
 using Umbraco.Web.Models;
+using Ganss.XSS;
 
 namespace Umbraco.Web.Runtime
 {
@@ -139,6 +140,14 @@ public override void Compose(Composition composition)
             composition.RegisterUnique<ISectionService, SectionService>();
             composition.RegisterUnique<IDashboardService, DashboardService>();
             composition.RegisterUnique<IIconService, IconService>();
+            composition.Register<IHtmlSanitizer>(_ =>
+            {
+                var sanitizer = new HtmlSanitizer();
+                sanitizer.AllowedAttributes.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Attributes);
+                sanitizer.AllowedCssProperties.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Attributes);
+                sanitizer.AllowedTags.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Tags);
+                return sanitizer;
+            },Lifetime.Singleton);
 
             composition.RegisterUnique<IExamineManager>(factory => ExamineManager.Instance);
 
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -67,6 +67,7 @@
     <PackageReference Include="HtmlAgilityPack" Version="1.8.14" />
     <PackageReference Include="HtmlSanitizer">
       <Version>4.0.217</Version>
+      <Version>5.0.376</Version>
     </PackageReference>
     <PackageReference Include="ImageProcessor">
       <Version>2.7.0.100</Version>
@@ -1286,7 +1287,7 @@
     </PropertyGroup>
     <ItemGroup>
       <!-- we want to exclude all facade references ?! -->
-      <FixedReferencePath Include="@(ReferencePath)" Condition="'%(ReferencePath.FileName)' != 'System.ValueTuple' and '%(ReferencePath.FileName)' != 'System.Net.Http'" />
+      <FixedReferencePath Include="@(ReferencePath)" Condition="'%(ReferencePath.FileName)' != 'System.ValueTuple' and '%(ReferencePath.FileName)' != 'System.Net.Http' and '%(ReferencePath.FileName)' != 'System.Text.Encoding.CodePages'" />
     </ItemGroup>
     <Delete Files="$(TargetDir)$(TargetName).XmlSerializers.dll" ContinueOnError="true" />
     <!--
@@ -1296,4 +1297,4 @@
       <Output TaskParameter="SerializationAssembly" ItemName="SerializationAssembly" />
     </SGen>
   </Target>
-</Project>
+</Project>
