Skip to content
This repository has been archived by the owner on Dec 14, 2018. It is now read-only.

<link> and <script> tag helpers do not encode correctly #4083

Closed
dougbu opened this issue Feb 12, 2016 · 1 comment
Closed

<link> and <script> tag helpers do not encode correctly #4083

dougbu opened this issue Feb 12, 2016 · 1 comment
Assignees
@dougbu
Labels
3 - Done bug
Milestone
1.0.0-rc2

Comments

@dougbu
Copy link
Member

dougbu commented Feb 12, 2016

Some literal text, most obviously in asp-fallback-href and asp-fallback-src values, are not correctly encoded when written into the browser's document.

E.g. (yeah, an intentional obstacle course) in the .cshtml file

    <script src="~/blank.js?a=b&c=d"
            asp-fallback-src='~/styles/site&#x1f4a9;.js?a=<"the" &#x1f4a9; title>'
            asp-fallback-test="false"
            data-foo="foo-data2"
            title='<"the" &#x1f4a9; title>'>
        // TagHelper script with comment in body, and extra properties.
    </script>

generates

    <script src="/blank.js?a=b&amp;c=d" data-foo="foo-data2" title="<&quot;the&quot; &#x1f4a9; title>">
        // TagHelper script with comment in body, and extra properties.
    </script>
<script>(false||document.write("<script src=\"\/styles\/site\u0026#x1f4a9;.js?a=\u003C\u0022the\u0022 \u0026#x1f4a9; title\u003E\" data-foo=\"foo-data2\" title=\"\u003C\u0022the\u0022 \u0026#x1f4a9; title\u003E\"><\/script>"));</script>

The src attribute w/in the document.write() is correctly JavaScript encoded but the written HTML is

<script src="/styles/site&#x1f4a9;.js?a=<"the" &#x1f4a9; title>" data-foo="foo-data2" title="<"the" &#x1f4a9; title>"></script>

Note the final src and title attributes contain double quotes and are delimited with double quotes.

Test encoders show the issue directly

  • Main element HTML encodes the src attribute value (src="HtmlEncode[[/blank.js]]"). This is actually overzealous: The original text was src="~/blank.js" and so src="HtmlEncode[[/]]blank.js" was expected.
  • Fallback element JavaScript encodes the src attribute value (src=\"JavaScriptEncode[[/styles/site.js]]\") and pretty much every other attribute name and value. But the JavaScript string is written out as HTML and none of it is HTML encoded.

Problems are somewhat less extensive w/ the <link> tag helper because it does not include unknown attributes in the fallback elements. (Might be a separate bug there, not sure.)
@dougbu dougbu mentioned this issue Feb 12, 2016
Closed
@Eilon Eilon added this to the 1.0.0-rc2 milestone Feb 12, 2016
dougbu added a commit that referenced this issue Mar 11, 2016
@dougbu
Correct HTML and JavaScript encoding of <link> and <script> attri…
71d3aa3 
…bute values

- #4083
- `<link>` tag helper did not HTML encode `href` values in fallback elements
- `<script>` tag helper did not correctly encode any attribute value in fallback elements
 - e.g. double quotes in literal strings would slip through
- only needed to change one existing unit test (!!); so added a bunch

nit: use `Process()`, not `ProcessAsync()` in `<script>` tag helper tests
@dougbu dougbu mentioned this issue Mar 11, 2016
Closed
dougbu added a commit that referenced this issue Mar 12, 2016
@dougbu
Correct HTML and JavaScript encoding of <link> and <script> attri…
ffe2d26 
…bute values

- #4083
- `<link>` tag helper did not HTML encode `href` values in fallback elements
- `<script>` tag helper did not correctly encode any attribute value in fallback elements
 - e.g. double quotes in literal strings would slip through
- only needed to change one existing unit test (!!); so added a bunch

nit: use `Process()`, not `ProcessAsync()` in `<script>` tag helper tests
@dougbu
Copy link
Member Author

dougbu commented Mar 12, 2016

ffe2d26

@dougbu dougbu closed this as completed Mar 12, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dougbu dougbu

Labels
3 - Done bug
Projects
None yet
Milestone
1.0.0-rc2
Development

No branches or pull requests
2 participants
@Eilon @dougbu