Adding more restrictions on tag names

2026-02-09 09:16:41 +08:00 · 2014-02-06 12:25:08 -08:00
parent 093976851a
commit 107f54850c
3 changed files with 33 additions and 21 deletions
--- a/src/Orchard.Web/Modules/Orchard.Tags/Controllers/AdminController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Tags/Controllers/AdminController.cs
@@ -1,12 +1,12 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using System.Reflection;
 using System.Web.Mvc;
 using Orchard.Localization;
 using Orchard.ContentManagement;
 using Orchard.Mvc;
 using Orchard.Mvc.Extensions;
+using Orchard.Tags.Drivers;
 using Orchard.Tags.Models;
 using Orchard.Tags.ViewModels;
 using Orchard.Tags.Services;
@@ -74,11 +74,17 @@ namespace Orchard.Tags.Controllers {

            var viewModel = new TagsAdminCreateViewModel();

-            if (!TryUpdateModel(viewModel)) {
+            TryUpdateModel(viewModel);
+
+            if (viewModel.TagName.Intersect(TagsPartDriver.DisalowedChars).Any()) {
+                ModelState.AddModelError("_FORM", T("The tag \"{0}\" could not be added because it contains forbidden chars: {1}", viewModel.TagName, String.Join(", ", TagsPartDriver.DisalowedChars)));
+            }
+
+            if(!ModelState.IsValid) {
                ViewData["CreateTag"] = viewModel;
                return Index();
            }
-            
+
            _tagService.CreateTag(viewModel.TagName);
            
            return RedirectToAction("Index");
@@ -112,6 +118,11 @@ namespace Orchard.Tags.Controllers {
            if (!Services.Authorizer.Authorize(Permissions.ManageTags, T("Couldn't edit tag")))
                return new HttpUnauthorizedResult();

+            if (viewModel.TagName.Intersect(TagsPartDriver.DisalowedChars).Any()) {
+                ModelState.AddModelError("_FORM", T("The tag \"{0}\" could not be modified because it contains forbidden chars: {1}", viewModel.TagName, String.Join(", ", TagsPartDriver.DisalowedChars)));
+                return View(viewModel);
+            }
+
            _tagService.UpdateTag(viewModel.Id, viewModel.TagName);
            return RedirectToAction("Index");
        }
--- a/src/Orchard.Web/Modules/Orchard.Tags/Drivers/TagsPartDriver.cs
+++ b/src/Orchard.Web/Modules/Orchard.Tags/Drivers/TagsPartDriver.cs
@@ -14,7 +14,7 @@ using Orchard.UI.Notify;
 namespace Orchard.Tags.Drivers {
    [UsedImplicitly]
    public class TagsPartDriver : ContentPartDriver<TagsPart> {
-        private static readonly char[] _disalowedChars =  { '<', '>', '*', '%', ':', '&', '\\', '"', '|' };
+        public static readonly char[] DisalowedChars =  { '<', '>', '*', '%', ':', '&', '\\', '"', '|', '/' };
        private const string TemplateName = "Parts/Tags";
        private readonly ITagService _tagService;
        private readonly INotifier _notifier;
@@ -50,10 +50,10 @@ namespace Orchard.Tags.Drivers {
            // as the tag names are used in the route directly, prevent them from having ASP.NET disallowed chars
            // c.f., http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx

-            var disallowedTags = tagNames.Where(x => _disalowedChars.Intersect(x).Any()).ToList();
+            var disallowedTags = tagNames.Where(x => DisalowedChars.Intersect(x).Any()).ToList();

            if (disallowedTags.Any()) {
-                _notifier.Warning(T("The tags \"{0}\" could not be added because they contain forbidden chars: {1}", String.Join(", ", disallowedTags), String.Join(", ", _disalowedChars)));
+                _notifier.Warning(T("The tags \"{0}\" could not be added because they contain forbidden chars: {1}", String.Join(", ", disallowedTags), String.Join(", ", DisalowedChars)));
                tagNames = tagNames.Where(x => !disallowedTags.Contains(x)).ToList();
            }

--- a/src/Orchard.Web/Modules/Orchard.Tags/Routes.cs
+++ b/src/Orchard.Web/Modules/Orchard.Tags/Routes.cs
@@ -12,21 +12,22 @@ namespace Orchard.Tags {

        public IEnumerable<RouteDescriptor> GetRoutes() {
            return new[] {
-                             new RouteDescriptor {   Priority = 5,
-                                                     Route = new Route(
-                                                         "Tags/{tagName}",
-                                                         new RouteValueDictionary {
-                                                                                      {"area", "Orchard.Tags"},
-                                                                                      {"controller", "Home"},
-                                                                                      {"action", "Search"}
-                                                         },
-                                                         new RouteValueDictionary(),
-                                                         new RouteValueDictionary {
-                                                                                      {"area", "Orchard.Tags"}
-                                                         },
-                                                         new MvcRouteHandler())
-                             }
-                         };
+                new RouteDescriptor {
+                    Priority = 5,
+                    Route = new Route(
+                        "Tags/{tagName}",
+                        new RouteValueDictionary {
+                            {"area", "Orchard.Tags"},
+                            {"controller", "Home"},
+                            {"action", "Search"}
+                        },
+                        new RouteValueDictionary(),
+                        new RouteValueDictionary {
+                            {"area", "Orchard.Tags"}
+                        },
+                        new MvcRouteHandler())
+                }
+            };
        }
    }
 }