Merge branch 'release/13.5.3' into release/13.6

# Conflicts:
#	version.json

Author: Zeegaan

src/Umbraco.Web.BackOffice/Controllers/PreviewController.cs

@@ -1,3 +1,4 @@
+using System.Globalization;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.ViewEngines;
@@ -130,6 +131,11 @@ public async Task<JavaScriptResult> Application()
     [Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
     public ActionResult Frame(int id, string culture)
     {
+        if (ValidateProvidedCulture(culture) is false)
+        {
+            throw new InvalidOperationException($"Could not recognise the provided culture: {culture}");
+        }
+
         EnterPreview(id);
 
         // use a numeric URL because content may not be in cache and so .Url would fail
@@ -138,6 +144,28 @@ public ActionResult Frame(int id, string culture)
         return RedirectPermanent($"../../{id}{query}");
     }
 
+    private static bool ValidateProvidedCulture(string culture)
+    {
+        if (string.IsNullOrEmpty(culture))
+        {
+            return true;
+        }
+
+        // We can be confident the backoffice will have provided a valid culture in linking to the
+        // preview, so we don't need to check that the culture matches an Umbraco language.
+        // We are only concerned here with protecting against XSS attacks from a fiddled preview
+        // URL, so we can just confirm we have a valid culture.
+        try
+        {
+            CultureInfo.GetCultureInfo(culture, true);
+            return true;
+        }
+        catch (CultureNotFoundException)
+        {
+            return false;
+        }
+    }
+
     public ActionResult? EnterPreview(int id)
     {
         IUser? user = _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser;

src/Umbraco.Web.Common/Views/UmbracoViewPage.cs

@@ -141,7 +141,10 @@ public void WriteUmbracoContent(TagHelperOutput tagHelperOutput)
                         string.Format(
                             ContentSettings.PreviewBadge,
                             HostingEnvironment.ToAbsolute(GlobalSettings.UmbracoPath),
-                            Context.Request.GetEncodedUrl(),
+                            System.Web.HttpUtility.HtmlEncode(Context.Request.GetEncodedUrl()), // Belt and braces - via a browser at least it doesn't seem possible to have anything other than
+                                                                                                // a valid culture code provided in the querystring of this URL.
+                                                                                                // But just to be sure of prevention of an XSS vulnterablity we'll HTML encode here too.
+                                                                                                // An expected URL is untouched by this encoding.
                             UmbracoContext.PublishedRequest?.PublishedContent?.Id);
                 }
                 else

tests/Umbraco.Tests.Integration/Umbraco.Infrastructure/Persistence/SyntaxProvider/SqlServerSyntaxProviderTests.cs

@@ -68,12 +68,8 @@ string c(string x)
         }
 
         Assert.AreEqual(
-            @$"DELETE FROM {t("cmsContentNu")} WHERE {c("nodeId")} IN (SELECT {c("nodeId")} FROM (SELECT DISTINCT cmsContentNu.nodeId
-FROM {t("cmsContentNu")}
-INNER JOIN {t("umbracoNode")}
-ON {t("cmsContentNu")}.{c("nodeId")} = {t("umbracoNode")}.{c("id")}
-WHERE (({t("umbracoNode")}.{c("nodeObjectType")} = @0))) x)".Replace(Environment.NewLine, " ").Replace("\n", " ")
-                .Replace("\r", " "),
+            @$"DELETE FROM {t("cmsContentNu")} WHERE {c("nodeId")} IN (SELECT {c("nodeId")} FROM (SELECT DISTINCT cmsContentNu.nodeId FROM {t("cmsContentNu")} INNER JOIN {t("umbracoNode")} ON {t("cmsContentNu")}.{c("nodeId")} = {t("umbracoNode")}.{c("id")} WHERE (({t("umbracoNode")}.{c("nodeObjectType")} = @0))) x)".Replace(Environment.NewLine, " ")
+                .Replace("\n", " ").Replace("\r", " "),
             sqlOutput.SQL.Replace(Environment.NewLine, " ").Replace("\n", " ").Replace("\r", " "));
 
         Assert.AreEqual(1, sqlOutput.Arguments.Length);