Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

PropertyFor generates invalid HTML


We have a custom property renderer:

    public class CustomRenderer : EPiServer.Web.Mvc.Html.PropertyRenderer
        public override HtmlString PropertyFor<TModel, TValue>(
            IHtmlHelper<TModel> html,
            string viewModelPropertyName,
            object additionalViewData,
            object editorSettings,
            Expression<Func<TModel, TValue>> expression,
            Func<string, IHtmlContent> displayForAction)
            var html = base.PropertyFor(html, viewModelPropertyName, additionalViewData, editorSettings, expression, displayForAction);

When this is called via a .cshtml view:

@Html.PropertyFor(m => m.CurrentBlock.Heading, new { CustomTag = "h1", CustomCssClass = @Model.SelectedHeadingSize })

additionalViewData will contain the anonymous object:

{ CustomTag = "h1", CustomCssClass = "if heading larger" }

In On-Page Editing mode this is causing an issue. If you peek at the Value property of the IHtmlContent returned by PropertyFor, the (C# escaped) string looks like this:

<h1 class=\"epi-editContainer\" data-epi-property-rendersettings=\"{\"CustomTag\":\"h1\",\"CustomCssClass\":\"if heading larger\"}\">Simple Hero block</h1>

Which results in the following HTML: 

<h1 class="epi-editContainer" data-epi-use-mvc="True" data-epi-property-rendersettings="{" customtag":"h1","customcssclass":"if="" heading="" larger"}"="">Simple Hero block</h1>

The data-epi-property-rendersettings attribute is clearly supposed to contain a JSON value, but because both the attribute and the JSON use double quotation mark characters, the result is just crap.

Any idea what's going on here? I found this issue after upgrading to CMS 12, but we seem to have it in our production environment also, where CMS 11 is used. 

Sep 13, 2023 16:34

We solved this by implementing our own IHtmlContent class that, when HTML is rendered, ensures that tags are written with single quotation mark characters, which allows any JSON content to use double quotation mark characters. 🤷‍♂️

Oct 25, 2023 14:25
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.