CVE-2022-29362

An attacker sends a crafted HTTP request to `/navigation/create?ParentID=%23` with a malicious payload in the `ParentID` parameter [ref_id=1]. Because the application does not neutralize user-controllable input before placing it into the generated web page, the injected script executes in the context of another user's browser when they view the affected navigation item [CWE-79]. No authentication or special network position is required beyond access to the CMS backend interface.

The vulnerability exists in the `NavigationService` class within `src/ZKEACMS/Common/Service/NavigationService.cs`. The `Add`, `Update`, `AddRange`, and `UpdateRange` methods did not sanitize the `Title` or `Html` properties of `NavigationEntity` objects before persisting them [patch_id=1702746]. The `ParentID` parameter on the `/navigation/create` endpoint is the injection point [ref_id=1].

The patch injects an `IHtmlSanitizer` dependency into `NavigationService` and calls `_htmlSanitizer.Sanitize()` on both `item.Title` and `item.Html` inside a new private `Santize` method [patch_id=1702746]. This sanitizer is invoked in every `Add`, `AddRange`, `Update`, and `UpdateRange` override before the entity is persisted, stripping or encoding dangerous HTML/script content. The commit message is "Sanitize Html" and references issue #457 [patch_id=1702746][ref_id=3].