You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 14, 2018. It is now read-only.
Some literal text, most obviously in asp-fallback-href and asp-fallback-src values, are not correctly encoded when written into the browser's document.
E.g. (yeah, an intentional obstacle course) in the .cshtml file
<scriptsrc="~/blank.js?a=b&c=d"
asp-fallback-src='~/styles/site💩.js?a=<"the" 💩 title>'
asp-fallback-test="false"
data-foo="foo-data2"
title='<"the" 💩 title>'>// TagHelper script with comment in body, and extra properties.</script>
generates
<scriptsrc="/blank.js?a=b&c=d" data-foo="foo-data2" title="<"the" 💩 title>">// TagHelper script with comment in body, and extra properties.</script><script>(false||document.write("<script src=\"\/styles\/site\u0026#x1f4a9;.js?a=\u003C\u0022the\u0022 \u0026#x1f4a9; title\u003E\" data-foo=\"foo-data2\" title=\"\u003C\u0022the\u0022 \u0026#x1f4a9; title\u003E\"><\/script>"));</script>
The src attribute w/in the document.write() is correctly JavaScript encoded but the written HTML is
Note the final src and title attributes contain double quotes and are delimited with double quotes.
Test encoders show the issue directly
Main element HTML encodes the src attribute value (src="HtmlEncode[[/blank.js]]"). This is actually overzealous: The original text was src="~/blank.js" and so src="HtmlEncode[[/]]blank.js" was expected.
Fallback element JavaScript encodes the src attribute value (src=\"JavaScriptEncode[[/styles/site.js]]\") and pretty much every other attribute name and value. But the JavaScript string is written out as HTML and none of it is HTML encoded.
Problems are somewhat less extensive w/ the <link> tag helper because it does not include unknown attributes in the fallback elements. (Might be a separate bug there, not sure.)
The text was updated successfully, but these errors were encountered:
…bute values
- #4083
- `<link>` tag helper did not HTML encode `href` values in fallback elements
- `<script>` tag helper did not correctly encode any attribute value in fallback elements
- e.g. double quotes in literal strings would slip through
- only needed to change one existing unit test (!!); so added a bunch
nit: use `Process()`, not `ProcessAsync()` in `<script>` tag helper tests
…bute values
- #4083
- `<link>` tag helper did not HTML encode `href` values in fallback elements
- `<script>` tag helper did not correctly encode any attribute value in fallback elements
- e.g. double quotes in literal strings would slip through
- only needed to change one existing unit test (!!); so added a bunch
nit: use `Process()`, not `ProcessAsync()` in `<script>` tag helper tests
Some literal text, most obviously in
asp-fallback-href
andasp-fallback-src
values, are not correctly encoded when written into the browser's document.E.g. (yeah, an intentional obstacle course) in the
.cshtml
filegenerates
The
src
attribute w/in thedocument.write()
is correctly JavaScript encoded but the written HTML isNote the final
src
andtitle
attributes contain double quotes and are delimited with double quotes.Test encoders show the issue directly
src
attribute value (src="HtmlEncode[[/blank.js]]"
). This is actually overzealous: The original text wassrc="~/blank.js"
and sosrc="HtmlEncode[[/]]blank.js"
was expected.src
attribute value (src=\"JavaScriptEncode[[/styles/site.js]]\"
) and pretty much every other attribute name and value. But the JavaScript string is written out as HTML and none of it is HTML encoded.Problems are somewhat less extensive w/ the
<link>
tag helper because it does not include unknown attributes in the fallback elements. (Might be a separate bug there, not sure.)The text was updated successfully, but these errors were encountered: