This repository has been archived by the owner on Dec 14, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Correct HTML and JavaScript encoding of <link>
and <script>
attribute values
#4272
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,8 +3,11 @@ | |
|
||
using System; | ||
using System.Diagnostics; | ||
using System.IO; | ||
using System.Text.Encodings.Web; | ||
using Microsoft.AspNetCore.Hosting; | ||
using Microsoft.AspNetCore.Html; | ||
using Microsoft.AspNetCore.Mvc.Razor; | ||
using Microsoft.AspNetCore.Mvc.Razor.TagHelpers; | ||
using Microsoft.AspNetCore.Mvc.Rendering; | ||
using Microsoft.AspNetCore.Mvc.Routing; | ||
|
@@ -39,6 +42,7 @@ public class ScriptTagHelper : UrlResolutionTagHelper | |
private const string AppendVersionAttributeName = "asp-append-version"; | ||
private static readonly Func<Mode, Mode, int> Compare = (a, b) => a - b; | ||
private FileVersionProvider _fileVersionProvider; | ||
private StringWriter _stringWriter; | ||
|
||
private static readonly ModeAttributes<Mode>[] ModeDetails = new[] { | ||
// Regular src with file version alone | ||
|
@@ -174,6 +178,20 @@ public override int Order | |
// Internal for ease of use when testing. | ||
protected internal GlobbingUrlBuilder GlobbingUrlBuilder { get; set; } | ||
|
||
// Shared writer for determining the string content of a TagHelperAttribute's Value. | ||
private StringWriter StringWriter | ||
{ | ||
get | ||
{ | ||
if (_stringWriter == null) | ||
{ | ||
_stringWriter = new StringWriter(); | ||
} | ||
|
||
return _stringWriter; | ||
} | ||
} | ||
|
||
/// <inheritdoc /> | ||
public override void Process(TagHelperContext context, TagHelperOutput output) | ||
{ | ||
|
@@ -300,7 +318,7 @@ private void BuildFallbackBlock(TagHelperAttributeList attributes, DefaultTagHel | |
if (!attribute.Name.Equals(SrcAttributeName, StringComparison.OrdinalIgnoreCase)) | ||
{ | ||
var encodedKey = JavaScriptEncoder.Encode(attribute.Name); | ||
var attributeValue = attribute.Value.ToString(); | ||
var attributeValue = GetAttributeValue(attribute.Value); | ||
var encodedValue = JavaScriptEncoder.Encode(attributeValue); | ||
|
||
AppendAttribute(builder, encodedKey, encodedValue, escapeQuotes: true); | ||
|
@@ -324,6 +342,37 @@ private void BuildFallbackBlock(TagHelperAttributeList attributes, DefaultTagHel | |
} | ||
} | ||
|
||
private string GetAttributeValue(object value) | ||
{ | ||
string stringValue; | ||
var htmlEncodedString = value as HtmlEncodedString; | ||
if (htmlEncodedString != null) | ||
{ | ||
// Value likely came from an HTML context in the .cshtml file but may still contain double quotes | ||
// since attribute could have been enclosed in single quotes. | ||
stringValue = htmlEncodedString.Value; | ||
if (stringValue.Contains("\"")) | ||
{ | ||
stringValue = stringValue.Replace("\"", """); | ||
} | ||
} | ||
else | ||
{ | ||
var writer = StringWriter; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why not use the property directly? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🙈 |
||
RazorPage.WriteTo(writer, HtmlEncoder, value); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This |
||
|
||
// Value is now correctly HTML-encoded but may still contain double quotes since attribute could | ||
// have been enclosed in single quotes and portions that were HtmlEncodedStrings are not re-encoded. | ||
var builder = writer.GetStringBuilder(); | ||
builder.Replace("\"", """); | ||
|
||
stringValue = builder.ToString(); | ||
builder.Clear(); | ||
} | ||
|
||
return stringValue; | ||
} | ||
|
||
private void AppendEncodedVersionedSrc( | ||
string srcName, | ||
string srcValue, | ||
|
@@ -337,6 +386,10 @@ private void AppendEncodedVersionedSrc( | |
|
||
if (generateForDocumentWrite) | ||
{ | ||
// srcValue comes from a C# context and globbing. Must HTML-encode it to ensure the | ||
// written <script/> element is valid. Must also JavaScript-encode that value to ensure | ||
// the document.write() statement is valid. | ||
srcValue = HtmlEncoder.Encode(srcValue); | ||
srcValue = JavaScriptEncoder.Encode(srcValue); | ||
} | ||
|
||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check shouldn't be required. Calling
stringValue.Replace
would no-op if it doesn't have a quote.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👌 double-checked the native source and confirmed that.