/// <summary>
/// HTML encodes a text to make it safe (xss-free) for displaying in markup. The only exception is
/// if the text is a recognisable Sense/Net resource editor markup.
/// </summary>
/// <param name="text">A text to make HTML-safe</param>
/// <returns>An HTML encoded text.</returns>
public static string GetSafeText(string text)
{
if (string.IsNullOrEmpty(text))
{
return(string.Empty);
}
// resource editor markup is always safe as it contains only our markup (a link tag) and a sanitized display text
if (PortalContext.Current.IsResourceEditorAllowed && SenseNetResourceManager.IsEditorMarkup(text))
{
return(text);
}
// encode the text to make it safe for displaying
return(HttpUtility.HtmlEncode(text));
}
private void RenderBreadCrumbItems(HtmlTextWriter writer, string href, string menuText, bool renderLink)
{
var isEditor = PortalContext.Current.IsResourceEditorAllowed && SenseNetResourceManager.IsEditorMarkup(menuText);
var text = UITools.GetSafeText(menuText);
if (renderLink && !isEditor)
{
writer.Write(string.Format("<a class=\"{0} {1}\" href=\"{2}\"><span>{3}</span></a>", ItemCssClass,
LinkCssClass, href, text));
}
else
{
writer.Write(string.Format("<span class=\"{0} {1}\"><span>{2}</span></span>", ItemCssClass,
ActiveItemCssClass, text));
}
}