Merge commit from fork

AndyButland · Zeegaan · web-flow · commit d60137e6da98 · 2025-01-20T14:14:28.000+01:00
* Ensure preview can only be requested with a valid culture code.

* Update src/Umbraco.Web.BackOffice/Controllers/PreviewController.cs

Co-authored-by: Nikolaj Geisle &lt;70372949+Zeegaan@users.noreply.github.com&gt;

* Restricted to predefined culture codes.

---------

Co-authored-by: Nikolaj Geisle &lt;70372949+Zeegaan@users.noreply.github.com&gt;
diff --git a/src/Umbraco.Web.BackOffice/Controllers/PreviewController.cs b/src/Umbraco.Web.BackOffice/Controllers/PreviewController.cs
@@ -1,3 +1,4 @@
+using System.Globalization;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.ViewEngines;
@@ -130,6 +131,11 @@ public async Task<JavaScriptResult> Application()
     [Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
     public ActionResult Frame(int id, string culture)
     {
+        if (ValidateProvidedCulture(culture) is false)
+        {
+            throw new InvalidOperationException($"Could not recognise the provided culture: {culture}");
+        }
+
         EnterPreview(id);
 
         // use a numeric URL because content may not be in cache and so .Url would fail
@@ -138,6 +144,28 @@ public ActionResult Frame(int id, string culture)
         return RedirectPermanent($"../../{id}{query}");
     }
 
+    private static bool ValidateProvidedCulture(string culture)
+    {
+        if (string.IsNullOrEmpty(culture))
+        {
+            return true;
+        }
+
+        // We can be confident the backoffice will have provided a valid culture in linking to the
+        // preview, so we don't need to check that the culture matches an Umbraco language.
+        // We are only concerned here with protecting against XSS attacks from a fiddled preview
+        // URL, so we can just confirm we have a valid culture.
+        try
+        {
+            CultureInfo.GetCultureInfo(culture, true);
+            return true;
+        }
+        catch (CultureNotFoundException)
+        {
+            return false;
+        }
+    }
+
     public ActionResult? EnterPreview(int id)
     {
         IUser? user = _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser;
diff --git a/src/Umbraco.Web.Common/Views/UmbracoViewPage.cs b/src/Umbraco.Web.Common/Views/UmbracoViewPage.cs
@@ -141,7 +141,10 @@ public void WriteUmbracoContent(TagHelperOutput tagHelperOutput)
                         string.Format(
                             ContentSettings.PreviewBadge,
                             HostingEnvironment.ToAbsolute(GlobalSettings.UmbracoPath),
-                            Context.Request.GetEncodedUrl(),
+                            System.Web.HttpUtility.HtmlEncode(Context.Request.GetEncodedUrl()), // Belt and braces - via a browser at least it doesn't seem possible to have anything other than
+                                                                                                // a valid culture code provided in the querystring of this URL.
+                                                                                                // But just to be sure of prevention of an XSS vulnterablity we'll HTML encode here too.
+                                                                                                // An expected URL is untouched by this encoding.
                             UmbracoContext.PublishedRequest?.PublishedContent?.Id);
                 }
                 else
