rickstrahl / westwind.aspnetcore Goto Github PK

It appears the markdown component is exposing cross site scripting vulnerabilities.

When the following text is placed inside the tag, the text is being rendered as script.
Recycleablequp97<ScRiPt>alert(1)</ScRiPt>qgxsv

When the markdown tag is not used, it is rendered as text by .net:
Recycleablequp97<ScRiPt>alert(1)</ScRiPt>qgxsv

I have read the closed issue on this, but I feel like the markdown component should not be undoing the default behavior for rendering script tags.

I'm using .net core 2.1.2

Hi there,
Does the WebUtils.SetUserLocale function work with the Asp.Net Core version?
It works perfectly if I change my browser language, or if I add the culture= in the query string, but not if I specify the culture and UI culture (these are both strings). I'm trying to persist this using a simply cookie.

WebUtils.SetUserLocale(culture, culture, null, true, null, HttpContext);

Thanks,
David

Hi, we're using your library over at csharpfritz/CoreWiki#144 to render wiki content and comments, but we appear to be having an issue with XSS.

Is this something that can be fixed in the library, or something we have to update on our end when using the <markdown> tag?

How we're using the library:

https://github.com/csharpfritz/CoreWiki/blob/dev/CoreWiki/Pages/Components/ListComments/ListComments.cshtml#L41

https://github.com/csharpfritz/CoreWiki/blob/dev/CoreWiki/Pages/Details.cshtml#L19

Comment log of issue:

csharpfritz/CoreWiki#144

For a project I need to be able to generate AMP as well as "normal" HTML pages. I'm using your library at the moment, works great thanks!

I was wondering if there is any way to change the renderer used by Markdown.ParseHtmlString to a custom one so that I can generate AMP-specific html?

I was looking into ways of adding and removing headers from my ASP.NET Core application. It's an API so there is no UI to it. After looking around I worked out that using the middleware technique to add and remove headers is probably the best as I need to include information in every response. I used the techniques in the CustomMiddleware.cs class and added code to the Startup.Configure method. Adding headers seems to work so for example:

opt.HeadersToAdd.Add("X-API-Version", sVersionString);
opt.HeadersToAdd.Add("X-ClientCommand", sCommandToExecute);

However, removing doesn't remove the headers. Any thoughts? It's not overly important to remove these, but I like to remove somethings just to make the response cleaner.

opt.HeadersToRemove.Add("X-Powered-By");
opt.HeadersToRemove.Add("x-aspnet-version");
opt.HeadersToRemove.Add("Server");

I have a subsite under my domain and now when I try to navigate to its landing page I get this error:

An unhandled exception has occurred while executing the request. System.ArgumentOutOfRangeException: startIndex cannot be larger than length of string. Parameter name: startIndex at System.String.Substring(Int32 startIndex, Int32 length) at Westwind.AspNetCore.Markdown.MarkdownPageProcessorMiddleware.InvokeAsync(HttpContext context) at Microsoft.AspNetCore.HttpsPolicy.HstsMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.Invoke(HttpContext context)

If I add a trailing slash then the page works correctly.

https://myweb.com/subsite - doesn't work
https://myweb.com/subsite/ - this works (hits the home controller and displays the index page)

Any clues?

Thanks.

Please, add some licence.

I dont know what can i do with your helpers (and i reaaaaly want to dig in your MarkdawnTagHelper 😍 )

Would be great if this was dependent upon netstandard2.0 rather than netcoreapp2.0, some of us are still using full framework for web apps.

I'd be happy to submit a pull request for this... I note that the latest version of this repo currently has a compilation issue however.

I have a subsite under my domain and now when I try to navigate to its landing page I get this error:

An unhandled exception has occurred while executing the request. System.ArgumentOutOfRangeException: startIndex cannot be larger than length of string. Parameter name: startIndex at System.String.Substring(Int32 startIndex, Int32 length) at Westwind.AspNetCore.Markdown.MarkdownPageProcessorMiddleware.InvokeAsync(HttpContext context) at Microsoft.AspNetCore.HttpsPolicy.HstsMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.Invoke(HttpContext context)

If I add a trailing slash then the page works correctly.

https://myweb.com/subsite - doesn't work
https://myweb.com/subsite/ - this works (hits the home controller and displays the index page)

Any clues?

Thanks.