Add module header and footer settings

Author: adlzanchetta-trilogy

Build/Build.csproj

@@ -15,7 +15,7 @@
     <AdditionalFiles Include="..\stylecop.json" Link="stylecop.json" />
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Cake.BuildSystems.Module" Version="8.0.0" />
+    <PackageReference Include="Cake.BuildSystems.Module" Version="9.0.0" />
     <PackageReference Include="Cake.FileHelpers" Version="7.0.0" />
     <PackageReference Include="Cake.Frosting" Version="6.0.0" />
     <PackageReference Include="Cake.Frosting.Git" Version="5.0.1" />

Build/ContextExtensions.cs

@@ -4,8 +4,9 @@
 
 namespace DotNetNuke.Build;
 
+using System;
 using System.Diagnostics;
-
+
 using Cake.Common.IO;
 using Cake.Core.IO;
 
@@ -18,6 +19,8 @@ public static class ContextExtensions
     /// <returns>The file version.</returns>
     public static string GetAssemblyFileVersion(this Context context, FilePath assemblyPath)
     {
-        return FileVersionInfo.GetVersionInfo(context.MakeAbsolute(assemblyPath).FullPath).FileVersion;
+        var versionInfo = FileVersionInfo.GetVersionInfo(context.MakeAbsolute(assemblyPath).FullPath);
+        var fileVersion = versionInfo.FileVersion;
+        return Version.TryParse(fileVersion, out _) ? fileVersion : $"{versionInfo.FileMajorPart}.{versionInfo.FileMinorPart}.{versionInfo.FileBuildPart}";
     }
 }

Build/Tasks/OtherPackages.cs

@@ -18,6 +18,7 @@ namespace DotNetNuke.Build.Tasks
     /// <summary>A cake task to include other 3rd party packages.</summary>
     [IsDependentOn(typeof(PackageNewtonsoft))]
     [IsDependentOn(typeof(PackageMailKit))]
+    [IsDependentOn(typeof(PackageHtmlSanitizer))]
     [IsDependentOn(typeof(PackageAspNetWebApi))]
     [IsDependentOn(typeof(PackageAspNetWebPages))]
     [IsDependentOn(typeof(PackageAspNetMvc))]

Build/Tasks/PackageHtmlSanitizer.cs

@@ -0,0 +1,14 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information
+namespace DotNetNuke.Build.Tasks;
+
+/// <summary>A cake task to generate the MailKit package.</summary>
+public sealed class PackageHtmlSanitizer : PackageComponentTask
+{
+    /// <summary>Initializes a new instance of the <see cref="PackageHtmlSanitizer"/> class.</summary>
+    public PackageHtmlSanitizer()
+        : base("HtmlSanitizer")
+    {
+    }
+}

Build/Tasks/unversionedManifests.txt

@@ -1,8 +1,4 @@
-DNN Platform/Components/MailKit/*.dnn
-DNN Platform/Components/Microsoft.*/**/*.dnn
-DNN Platform/Components/Newtonsoft/*.dnn
-DNN Platform/Components/WebFormsMvp/*.dnn
-DNN Platform/Components/SharpZipLib/*.dnn
+DNN Platform/Components/**/*.dnn
 DNN Platform/JavaScript Libraries/HoverIntent/*.dnn
 DNN Platform/JavaScript Libraries/jQuery*/*.dnn
 DNN Platform/JavaScript Libraries/Knockout*/*.dnn

DNN Platform/Components/HtmlSanitizer/HtmlSanitizer.dnn

@@ -0,0 +1,55 @@
+<dotnetnuke type="Package" version="5.0">
+  <packages>
+    <package name="DotNetNuke.HtmlSanitizer" type="Library" version="1.0.0">
+      <friendlyName>HtmlSanitizer Components</friendlyName>
+      <description>Provides AngleSharp and HtmlSanitizer assemblies for the platform.</description>
+      <dependencies/>
+      <owner>
+        <name>.NET Foundation and Contributors</name>
+        <organization>DNN Community</organization>
+        <url>https://dnncommunity.org</url>
+        <email>info@dnncommunity.org</email>
+      </owner>
+      <license src="License.txt"/>
+      <releaseNotes>
+        This package includes AngleSharp, AngleSharp.Css and HtmlSanitizer assemblies.
+      </releaseNotes>
+      <components>
+        <component type="Assembly">
+          <assemblies>
+            <assembly>
+              <path>bin</path>
+              <name>AngleSharp.dll</name>
+              <version />
+            </assembly>
+            <assembly>
+              <path>bin</path>
+              <name>AngleSharp.Css.dll</name>
+              <version />
+            </assembly>
+            <assembly>
+              <path>bin</path>
+              <name>HtmlSanitizer.dll</name>
+              <version />
+            </assembly>
+            <assembly>
+              <path>bin</path>
+              <name>System.Collections.Immutable.dll</name>
+              <version />
+            </assembly>
+            <assembly>
+              <path>bin</path>
+              <name>System.Text.Encoding.CodePages.dll</name>
+              <version />
+            </assembly>
+            <assembly>
+              <path>bin</path>
+              <name>System.Runtime.CompilerServices.Unsafe.dll</name>
+              <version/>
+            </assembly>
+          </assemblies>
+        </component>
+      </components>
+    </package>
+  </packages>
+</dotnetnuke>

DNN Platform/Components/HtmlSanitizer/License.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (C) 2012-2020 .NET Foundation and Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

DNN Platform/Library/Common/Utilities/HtmlUtils.cs

@@ -13,7 +13,9 @@ namespace DotNetNuke.Common.Utilities
     using DotNetNuke.Internal.SourceGenerators;
     using DotNetNuke.Services.Upgrade;
 
-    /// <summary>HtmlUtils is a Utility class that provides Html Utility methods.</summary>
+    using Ganss.Xss;
+
+    /// <summary>HtmlUtils is a Utility class that provides HTML Utility methods.</summary>
     public partial class HtmlUtils
     {
         // Create Regular Expression objects
@@ -579,5 +581,81 @@ public static IHtmlString JavaScriptStringEncode(string value)
         /// <inheritdoc cref="HttpUtility.JavaScriptStringEncode(string,bool)"/>
         public static IHtmlString JavaScriptStringEncode(string value, bool addDoubleQuotes)
             => new HtmlString(HttpUtility.JavaScriptStringEncode(value, addDoubleQuotes));
+
+        /// <summary>Sanitize the given HTML, removing element which could include JavaScript.</summary>
+        /// <param name="htmlInput">The HTML to sanitize.</param>
+        /// <returns>The sanitized HTML.</returns>
+        public static string CleanOutOfJavascript(string htmlInput)
+        {
+            var sanitizer = new HtmlSanitizer();
+
+            // We need to disallow all attributes that might contain JS
+            sanitizer.AllowedAttributes.Remove("onclick");
+            sanitizer.AllowedAttributes.Remove("onmouseover");
+            sanitizer.AllowedAttributes.Remove("onmouseout");
+            sanitizer.AllowedAttributes.Remove("onkeypress");
+            sanitizer.AllowedAttributes.Remove("onkeydown");
+            sanitizer.AllowedAttributes.Remove("onkeyup");
+
+            // We need to disallow tags like '<form action="javascript:submitForm()">'
+            sanitizer.AllowedSchemes.Remove("javascript");
+
+            // Tags like '<script>' are obviously not allowed
+            sanitizer.AllowedTags.Remove("script");
+
+            return sanitizer.Sanitize(htmlInput);
+        }
+
+        /// <summary>Determines whether the given <paramref name="htmlInput"/> contains any JavaScript.</summary>
+        /// <param name="htmlInput">The HTML to check.</param>
+        /// <returns><see langword="true"/> if <paramref name="htmlInput"/> contains JavaScript, otherwise <see langword="false"/>.</returns>
+        public static bool ContainsJavaScript(string htmlInput)
+        {
+            if (string.IsNullOrEmpty(htmlInput))
+            {
+                return false;
+            }
+
+            string cleaned = CleanOutOfJavascript(htmlInput);
+
+            // Strip all HTML syntax characters and whitespace for comparison
+            string strippedOriginal = StripHtmlSyntax(htmlInput);
+            string strippedCleaned = StripHtmlSyntax(cleaned);
+
+            // If the stripped versions are different, JavaScript was likely removed
+            return !string.Equals(strippedOriginal, strippedCleaned, StringComparison.OrdinalIgnoreCase);
+        }
+
+        /// <summary>Sanitizes the given <paramref name="rawHtmlInput"/> if <paramref name="allowJavaScript"/> is <see langword="false"/>.</summary>
+        /// <param name="rawHtmlInput">The raw HTML input.</param>
+        /// <param name="allowJavaScript">Whether to allow JavaScript in the HTML.</param>
+        /// <returns>The HTML, potentially sanitized.</returns>
+        public static string SanitizeHtmlIfNeeded(string rawHtmlInput, bool allowJavaScript)
+        {
+            // If input is null or empty: nothing to do
+            if (string.IsNullOrEmpty(rawHtmlInput))
+            {
+                return string.Empty;
+            }
+
+            // If JavaScript is not allowed: HTML must be sanitized
+            if (!allowJavaScript)
+            {
+                return CleanOutOfJavascript(rawHtmlInput);
+            }
+
+            return rawHtmlInput;
+        }
+
+        private static string StripHtmlSyntax(string html)
+        {
+            if (string.IsNullOrEmpty(html))
+            {
+                return string.Empty;
+            }
+
+            // Remove all whitespace and HTML syntax characters
+            return Regex.Replace(html, @"[\s<>/""'=]", string.Empty);
+        }
     }
 }

DNN Platform/Library/DotNetNuke.Library.csproj

@@ -88,6 +88,12 @@
   </PropertyGroup>
   <Import Project="$(MSBuildBinPath)\Microsoft.CSharp.Targets" />
   <ItemGroup>
+    <Reference Include="AngleSharp, Version=1.4.0.0, Culture=neutral, PublicKeyToken=e83494dcdc6d31ea, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\AngleSharp.1.4.0\lib\net472\AngleSharp.dll</HintPath>
+    </Reference>
+    <Reference Include="AngleSharp.Css, Version=1.0.0.0, Culture=neutral, PublicKeyToken=e83494dcdc6d31ea, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\AngleSharp.Css.1.0.0-beta.159\lib\net472\AngleSharp.Css.dll</HintPath>
+    </Reference>
     <Reference Include="BouncyCastle.Crypto, Version=1.9.0.0, Culture=neutral, PublicKeyToken=0e99375e54769942, processorArchitecture=MSIL">
       <HintPath>..\..\packages\Portable.BouncyCastle.1.9.0\lib\net40\BouncyCastle.Crypto.dll</HintPath>
     </Reference>
@@ -101,6 +107,9 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\Controls\DotNetNuke.WebControls\bin\DotNetNuke.WebControls.dll</HintPath>
     </Reference>
+    <Reference Include="HtmlSanitizer, Version=9.0.0.0, Culture=neutral, PublicKeyToken=61c49a1a9e79cc28, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\HtmlSanitizer.9.1.878-beta\lib\net461\HtmlSanitizer.dll</HintPath>
+    </Reference>
     <Reference Include="ICSharpCode.SharpZipLib, Version=1.4.2.13, Culture=neutral, PublicKeyToken=1b03e6acf1164f73, processorArchitecture=MSIL">
       <HintPath>..\..\packages\SharpZipLib.1.4.2\lib\netstandard2.0\ICSharpCode.SharpZipLib.dll</HintPath>
     </Reference>
@@ -151,6 +160,9 @@
     <Reference Include="System.Buffers, Version=4.0.4.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
       <HintPath>..\..\packages\System.Buffers.4.6.0\lib\net462\System.Buffers.dll</HintPath>
     </Reference>
+    <Reference Include="System.Collections.Immutable, Version=9.0.0.2, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\System.Collections.Immutable.9.0.2\lib\net462\System.Collections.Immutable.dll</HintPath>
+    </Reference>
     <Reference Include="System.ComponentModel.Composition" />
     <Reference Include="System.ComponentModel.DataAnnotations" />
     <Reference Include="System.configuration" />
@@ -178,6 +190,9 @@
     <Reference Include="System.Runtime.Serialization" />
     <Reference Include="System.Security" />
     <Reference Include="System.ServiceModel.Web" />
+    <Reference Include="System.Text.Encoding.CodePages, Version=9.0.0.2, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\System.Text.Encoding.CodePages.9.0.2\lib\net462\System.Text.Encoding.CodePages.dll</HintPath>
+    </Reference>
     <Reference Include="System.Threading.Tasks.Extensions, Version=4.2.0.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
       <HintPath>..\..\packages\System.Threading.Tasks.Extensions.4.5.4\lib\net461\System.Threading.Tasks.Extensions.dll</HintPath>
     </Reference>

DNN Platform/Library/Entities/Portals/PortalSettings.cs

@@ -514,6 +514,12 @@ public bool DisablePrivateMessage
         /// <inheritdoc />
         public bool InlineEditorEnabled { get; internal set; }
 
+        /// <summary>Gets a value indicating whether JavaScript is allowed in module headers.</summary>
+        public bool AllowJsInModuleHeaders { get; internal set; }
+
+        /// <summary>Gets a value indicating whether JavaScript is allowed in module footer.</summary>
+        public bool AllowJsInModuleFooters { get; internal set; }
+
         /// <inheritdoc />
         public bool SearchIncludeCommon { get; internal set; }