This repository was archived by the owner on Dec 14, 2018. It is now read-only.
This repository was archived by the owner on Dec 14, 2018. It is now read-only.
<link> and <script> tag helpers do not encode correctly #4083
Closed
Description
Some literal text, most obviously in asp-fallback-href and asp-fallback-src values, are not correctly encoded when written into the browser's document.
E.g. (yeah, an intentional obstacle course) in the .cshtml file
<script src="~/blank.js?a=b&c=d"
asp-fallback-src='~/styles/site💩.js?a=<"the" 💩 title>'
asp-fallback-test="false"
data-foo="foo-data2"
title='<"the" 💩 title>'>
// TagHelper script with comment in body, and extra properties.
</script>generates
<script src="/blank.js?a=b&c=d" data-foo="foo-data2" title="<"the" 💩 title>">
// TagHelper script with comment in body, and extra properties.
</script>
<script>(false||document.write("<script src=\"\/styles\/site\u0026#x1f4a9;.js?a=\u003C\u0022the\u0022 \u0026#x1f4a9; title\u003E\" data-foo=\"foo-data2\" title=\"\u003C\u0022the\u0022 \u0026#x1f4a9; title\u003E\"><\/script>"));</script>The src attribute w/in the document.write() is correctly JavaScript encoded but the written HTML is
<script src="/styles/site💩.js?a=<"the" 💩 title>" data-foo="foo-data2" title="<"the" 💩 title>"></script>Note the final src and title attributes contain double quotes and are delimited with double quotes.
Test encoders show the issue directly
- Main element HTML encodes the
srcattribute value (src="HtmlEncode[[/blank.js]]"). This is actually overzealous: The original text wassrc="~/blank.js"and sosrc="HtmlEncode[[/]]blank.js"was expected. - Fallback element JavaScript encodes the
srcattribute value (src=\"JavaScriptEncode[[/styles/site.js]]\") and pretty much every other attribute name and value. But the JavaScript string is written out as HTML and none of it is HTML encoded.
Problems are somewhat less extensive w/ the <link> tag helper because it does not include unknown attributes in the fallback elements. (Might be a separate bug there, not sure.)