HTML encode notifications sent by non-admins to prevent HTML injection

2023-12-13 10:07:21 -05:00
parent ac701f28b5
commit 6621983a9c
7 changed files with 28 additions and 14 deletions
--- a/Oqtane.Client/Modules/Admin/Site/Index.razor
+++ b/Oqtane.Client/Modules/Admin/Site/Index.razor
@ -442,7 +442,7 @@
                    _homepageid = site.HomePageId.Value.ToString();
                }
                _isdeleted = site.IsDeleted.ToString();
-                _sitemap = PageState.Alias.Protocol + PageState.Alias.Name + "/pages/sitemap.xml";
+                _sitemap = PageState.Alias.Protocol + PageState.Alias.Name + "/sitemap.xml";
                _siteguid = site.SiteGuid;
                _version = site.Version;

--- a/Oqtane.Client/UI/SiteRouter.razor
+++ b/Oqtane.Client/UI/SiteRouter.razor
@ -162,7 +162,8 @@
        if (PageState == null || refresh || PageState.Alias.SiteId != SiteState.Alias.SiteId)
        {
            var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
-            if (authState.User.Identity.IsAuthenticated)
+            // verify user is authenticated for current site
+            if (authState.User.Identity.IsAuthenticated && authState.User.Claims.Any(item => item.Type == "sitekey" && item.Value == SiteState.Alias.SiteKey))
            {
                user = await UserService.GetUserAsync(authState.User.Identity.Name, SiteState.Alias.SiteId);
                if (user != null)
--- a/Oqtane.Client/UI/ThemeBuilder.razor
+++ b/Oqtane.Client/UI/ThemeBuilder.razor
@ -88,8 +88,8 @@

    protected override async Task OnAfterRenderAsync(bool firstRender)
    {
-        // force user to provide email address (email may be missing if using external login)
-        if (PageState.User != null && string.IsNullOrEmpty(PageState.User.Email) && PageState.Route.PagePath != "profile")
+        // force authenticated user to provide email address (email may be missing if using external login)
+        if (PageState.User != null && PageState.User.IsAuthenticated && string.IsNullOrEmpty(PageState.User.Email) && PageState.Route.PagePath != "profile")
        {
            NavigationManager.NavigateTo(Utilities.NavigateUrl(PageState.Alias.Path, "profile", "returnurl=" + WebUtility.UrlEncode(PageState.Route.PathAndQuery)));
            return;