Correct HTML and JavaScript encoding of <link> and <script> attribute values

src/Microsoft.AspNetCore.Mvc.TagHelpers/LinkTagHelper.cs

@@ -4,14 +4,12 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
-using System.Text;
 using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Razor.TagHelpers;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Mvc.Routing;
 using Microsoft.AspNetCore.Mvc.TagHelpers.Internal;
-using Microsoft.AspNetCore.Mvc.ViewFeatures;
 using Microsoft.AspNetCore.Razor.TagHelpers;
 using Microsoft.Extensions.Caching.Memory;
 
@@ -362,15 +360,21 @@ private void AppendFallbackHrefs(TagHelperContent builder, IReadOnlyList<string>
                     firstAdded = true;
                 }
 
-                // fallbackHrefs come from bound attributes and globbing. Must always be non-null.
+                // fallbackHrefs come from bound attributes (a C# context) and globbing. Must always be non-null.
                 Debug.Assert(fallbackHrefs[i] != null);
+
                 var valueToWrite = fallbackHrefs[i];
                 if (AppendVersion == true)
                 {
                     valueToWrite = _fileVersionProvider.AddFileVersionToPath(fallbackHrefs[i]);
                 }
 
-                builder.AppendHtml(JavaScriptEncoder.Encode(valueToWrite));
+                // Must HTML-encode the href attribute value to ensure the written <link/> element is valid. Must also
+                // JavaScript-encode that value to ensure the doc.write() statement is valid.
+                valueToWrite = HtmlEncoder.Encode(valueToWrite);
+                valueToWrite = JavaScriptEncoder.Encode(valueToWrite);
+
+                builder.AppendHtml(valueToWrite);
                 builder.AppendHtml("\"");
             }
             builder.AppendHtml("]);");

src/Microsoft.AspNetCore.Mvc.TagHelpers/ScriptTagHelper.cs

@@ -3,8 +3,11 @@
 
 using System;
 using System.Diagnostics;
+using System.IO;
 using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Html;
+using Microsoft.AspNetCore.Mvc.Razor;
 using Microsoft.AspNetCore.Mvc.Razor.TagHelpers;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Mvc.Routing;
@@ -39,6 +42,7 @@ public class ScriptTagHelper : UrlResolutionTagHelper
         private const string AppendVersionAttributeName = "asp-append-version";
         private static readonly Func<Mode, Mode, int> Compare = (a, b) => a - b;
         private FileVersionProvider _fileVersionProvider;
+        private StringWriter _stringWriter;
 
         private static readonly ModeAttributes<Mode>[] ModeDetails = new[] {
             // Regular src with file version alone
@@ -174,6 +178,20 @@ public override int Order
         // Internal for ease of use when testing.
         protected internal GlobbingUrlBuilder GlobbingUrlBuilder { get; set; }
 
+        // Shared writer for determining the string content of a TagHelperAttribute's Value.
+        private StringWriter StringWriter
+        {
+            get
+            {
+                if (_stringWriter == null)
+                {
+                    _stringWriter = new StringWriter();
+                }
+
+                return _stringWriter;
+            }
+        }
+
         /// <inheritdoc />
         public override void Process(TagHelperContext context, TagHelperOutput output)
         {
@@ -300,7 +318,7 @@ private void BuildFallbackBlock(TagHelperAttributeList attributes, DefaultTagHel
                         if (!attribute.Name.Equals(SrcAttributeName, StringComparison.OrdinalIgnoreCase))
                         {
                             var encodedKey = JavaScriptEncoder.Encode(attribute.Name);
-                            var attributeValue = attribute.Value.ToString();
+                            var attributeValue = GetAttributeValue(attribute.Value);
                             var encodedValue = JavaScriptEncoder.Encode(attributeValue);
 
                             AppendAttribute(builder, encodedKey, encodedValue, escapeQuotes: true);
@@ -324,6 +342,37 @@ private void BuildFallbackBlock(TagHelperAttributeList attributes, DefaultTagHel
             }
         }
 
+        private string GetAttributeValue(object value)
+        {
+            string stringValue;
+            var htmlEncodedString = value as HtmlEncodedString;
+            if (htmlEncodedString != null)
+            {
+                // Value likely came from an HTML context in the .cshtml file but may still contain double quotes
+                // since attribute could have been enclosed in single quotes.
+                stringValue = htmlEncodedString.Value;
+                if (stringValue.Contains("\""))
+                {
+                    stringValue = stringValue.Replace("\"", "&quot;");
+                }
+            }
+            else
+            {
+                var writer = StringWriter;
+                RazorPage.WriteTo(writer, HtmlEncoder, value);
+
+                // Value is now correctly HTML-encoded but may still contain double quotes since attribute could
+                // have been enclosed in single quotes and portions that were HtmlEncodedStrings are not re-encoded.
+                var builder = writer.GetStringBuilder();
+                builder.Replace("\"", "&quot;");
+
+                stringValue = builder.ToString();
+                builder.Clear();
+            }
+
+            return stringValue;
+        }
+
         private void AppendEncodedVersionedSrc(
             string srcName,
             string srcValue,
@@ -337,6 +386,10 @@ private void AppendEncodedVersionedSrc(
 
             if (generateForDocumentWrite)
             {
+                // srcValue comes from a C# context and globbing. Must HTML-encode it to ensure the
+                // written <script/> element is valid. Must also JavaScript-encode that value to ensure
+                // the document.write() statement is valid.
+                srcValue = HtmlEncoder.Encode(srcValue);
                 srcValue = JavaScriptEncoder.Encode(srcValue);
             }