Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Carlos Mosqueda 201 posts 305 karma points
    May 10, 2021 @ 17:58
    Carlos Mosqueda
    0

    CSS Subdirectories in Umbraco 7.15.7 issue - Please help!

    Hello all,

    I recently updated to Umbraco 7.15.7 from 7.12.1 and found out that one of my CSS files was not being pulled in that was set up in a sub directory of the "/CSS/" folder that was working prior to the update.

    I set up the subfolder for the CSS in my admin as: "myfolder/overrides.css" which in Umbraco admin had created it as "/css/myfolder/overrides.css" BUT now Umbraco is changing the css folder structure and not allowing subfolders for the CSS sheets on 'Save'. My assumption is it is a config setting, but I can't seem to find out which one. If that is the problem at all.

    That said, Umbraco is now changing my subfolder CSS files to "/css/myfolderoverrides.css" with no slash between the folder and the stylesheet. Please help me out. I have quite a few of these because our instance runs multiple applications.

  • Carlos Mosqueda 201 posts 305 karma points
    May 10, 2021 @ 23:21
    Carlos Mosqueda
    0

    @UmbracoHQ, if you would ever be so kind or anyone familiar with the inner workings of Umbraco.

    So I tracked down, what I think, may be the crux of my issue. Though I may be wrong. Looking at the SaveFileController.cs I saw that the "SaveStylesheet" method was rewritten between Umbraco 7.12.1 and 7.15.7.

    It looks like some clean up routines were written to sanitize files names for XSS. Which make sense, however, I think it broke the ability to create Subfolders for the CSS (probably for the Javascript subfolders to, have not tested) files.

    In the 7.15.7 version the code for the routine in the SaveFileController.cs line 241 looks like this:

    [HttpPost]
        public JsonResult SaveStylesheet(string filename, string oldName, string contents)
        {
            // sanitize input - stylesheet names have no extension
            var svce = (FileService)Services.FileService;
    
            filename = CleanFilename(filename.CleanForXss());
            oldName = CleanFilename(oldName);
    
            if (filename != oldName)
            {
                var stylesheetExists = svce.GetStylesheetByName(filename);
                if (stylesheetExists != null)
                    return Failed(ui.Text("speechBubbles", "cssErrorText"), "A file named '" + filename + ".css' already exists.");
            }
    
            var stylesheet = svce.GetStylesheetByName(oldName);
            if (stylesheet == null)
                stylesheet = new Stylesheet(filename);
            else
                stylesheet.Path = filename;
            stylesheet.Content = contents;
    
            try
            {
                if (svce.ValidateStylesheet(stylesheet) == false)
                    return Failed(ui.Text("speechBubbles", "cssErrorText"), ui.Text("speechBubbles", "cssErrorHeader"),
                                    new FileSecurityException("File '" + filename + "' is not a valid stylesheet file."));
    
                svce.SaveStylesheet(stylesheet);
            }
            catch (Exception e)
            {
                return Failed(ui.Text("speechBubbles", "cssErrorText"), ui.Text("speechBubbles", "cssErrorHeader"), e);
            }
    
            return Success(ui.Text("speechBubbles", "cssSavedText"), ui.Text("speechBubbles", "cssSavedHeader"),
                new
                {
                    path = DeepLink.GetTreePathFromFilePath(stylesheet.Path),
                    name = stylesheet.Path,
                    url = stylesheet.VirtualPath,
                    contents = stylesheet.Content
                });
        }
    
        private static string CleanFilename(string filename)
        {
            return filename
                .Replace('\\', '/')
                .TrimStart('/')
                .EnsureEndsWith(".css");
        }
    

    I noticed the 'CleanForXss()' at the top of this method. I then followed that and in that method I found in the Umbraco.Core is the 'StringExtensions.cs' file and on line 192, I found this clean up routine that looks like it tags a bunch of characters and cleans it up before passing back to the SaveFileController.cs to the SaveStylesheet method.

        private static readonly char[] CleanForXssChars = "*?(){}[];:%<>/\\|&'\"".ToCharArray();
    

    In Umbraco 7.12.1 the SaveFileController.cs and the SaveStylesheet method looks like this:

          [HttpPost]
        public JsonResult SaveStylesheet(string filename, string oldName, string contents)
        {
            // sanitize input - stylesheet names have no extension
            filename = filename
                .Replace('\\', '/')
                .TrimStart('/')
                .EnsureEndsWith(".css");
    
            var svce = (FileService) Services.FileService;
            var stylesheet = svce.GetStylesheetByName(oldName);
            if (stylesheet == null)
                stylesheet = new Stylesheet(filename);
            else
                stylesheet.Path = filename;
            stylesheet.Content = contents;
    
            try
            {
                if (svce.ValidateStylesheet(stylesheet) == false)
                    return Failed(ui.Text("speechBubbles", "cssErrorText"), ui.Text("speechBubbles", "cssErrorHeader"),
                                    new FileSecurityException("File '" + filename + "' is not a valid stylesheet file."));
    
                svce.SaveStylesheet(stylesheet);
            }
            catch (Exception e)
            {
                return Failed(ui.Text("speechBubbles", "cssErrorText"), ui.Text("speechBubbles", "cssErrorHeader"), e);
            }
    
            return Success(ui.Text("speechBubbles", "cssSavedText"), ui.Text("speechBubbles", "cssSavedHeader"),
                new
                {
                    path = DeepLink.GetTreePathFromFilePath(stylesheet.Path),
                    name = stylesheet.Path,
                    url = stylesheet.VirtualPath,
                    contents = stylesheet.Content
                });
        }
    

    Much smaller and looks like it is self contained.

    That said, @UmbracoHQ, how do I fix this.

    We have quite a few sub folders for our CSS files that I would like to edit with through the admin, which is the beauty of using Umbraco for this. I don't want to have to keep uploading files directly to the server if I need to make a quick CSS update to the site. That is just frustrating.

  • Carlos Mosqueda 201 posts 305 karma points
    May 12, 2021 @ 21:13
    Carlos Mosqueda
    0

    @Anybody????

  • Carlos Mosqueda 201 posts 305 karma points
    26 days ago
    Carlos Mosqueda
    0

    Ok, so I got an answer from Sebastian on GitHub.

    So it was broken for the greater good. Security issues and they aren't going to fix it because U7 is in maintenance mode, which I get.

    No direct solution at this time. So either I have to edit and upload the files to the folders directly to the server or I can change all my references in every subsite that uses these stylesheets in their respecitve organized folders if I want to edit them via the Umbraco admin interface. Not ideal but understandable.
    Otherwise I need to write some custom code for the core, rebuild and redeploy to my server which could potentially bring back a security risk. Bummer in any case.

Please Sign in or register to post replies

Write your reply to:

Draft