Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

HTML encode notifications sent by non-admins to prevent HTML injection

Browse Source
This commit is contained in:
sbwalker
2023-12-13 10:07:21 -05:00
parent ac701f28b5
commit 6621983a9c
7 changed files with 28 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Oqtane.Client/UI/SiteRouter.razor
View File

@ -162,7 +162,8 @@
if (PageState == null || refresh || PageState.Alias.SiteId != SiteState.Alias.SiteId)
{
var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
if (authState.User.Identity.IsAuthenticated)
// verify user is authenticated for current site
if (authState.User.Identity.IsAuthenticated && authState.User.Claims.Any(item => item.Type == "sitekey" && item.Value == SiteState.Alias.SiteKey))
{
user = await UserService.GetUserAsync(authState.User.Identity.Name, SiteState.Alias.SiteId);
if (user != null)