Ensure content is HTML encoded

gunndabad · gunndabad · commit e4a858fb9d2b · 2023-05-23T15:12:47.000+01:00
diff --git a/src/GovUk.Frontend.AspNetCore/HtmlGeneration/ComponentGenerator.CharacterCount.cs b/src/GovUk.Frontend.AspNetCore/HtmlGeneration/ComponentGenerator.CharacterCount.cs
@@ -1,3 +1,4 @@
+using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Mvc.ViewFeatures;
@@ -50,7 +51,7 @@ IHtmlContent GenerateHint()
                 var content = maxWords.HasValue ?
                     $"You can enter up to {maxWords} words" :
                     $"You can enter up to {maxLength} characters";
-                var hintContent = new HtmlString(content);
+                var hintContent = new HtmlString(HtmlEncoder.Default.Encode(content));
 
                 var attributes = countMessageAttributes.ToAttributeDictionary();
                 attributes.MergeCssClass("govuk-character-count__message");
diff --git a/src/GovUk.Frontend.AspNetCore/HtmlGeneration/ComponentGenerator.NotificationBanner.cs b/src/GovUk.Frontend.AspNetCore/HtmlGeneration/ComponentGenerator.NotificationBanner.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Mvc.ViewFeatures;
@@ -43,10 +44,10 @@ public TagBuilder GenerateNotificationBanner(
                 NotificationBannerDefaultSuccessRole :
                 NotificationBannerDefaultRole;
 
-            titleContent ??= new HtmlString(
+            titleContent ??= new HtmlString(HtmlEncoder.Default.Encode(
                 type == NotificationBannerType.Success ?
                     NotificationBannerDefaultSuccessTitle :
-                    NotificationBannerDefaultTitle);
+                    NotificationBannerDefaultTitle));
 
             titleId ??= NotificationBannerDefaultTitleId;
 
diff --git a/src/GovUk.Frontend.AspNetCore/HtmlGeneration/ComponentGenerator.Pagination.cs b/src/GovUk.Frontend.AspNetCore/HtmlGeneration/ComponentGenerator.Pagination.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Mvc.ViewFeatures;
@@ -67,7 +68,7 @@ public TagBuilder GeneratePagination(
                     title.AddCssClass("govuk-pagination__link-title--decorated");
                 }
 
-                title.InnerHtml.AppendHtml(previous.Text ?? new HtmlString(PaginationDefaultPreviousText));
+                title.InnerHtml.AppendHtml(previous.Text ?? new HtmlString(HtmlEncoder.Default.Encode(PaginationDefaultPreviousText)));
 
                 link.InnerHtml.AppendHtml(title);
 
@@ -187,7 +188,7 @@ public TagBuilder GeneratePagination(
                     title.AddCssClass("govuk-pagination__link-title--decorated");
                 }
 
-                title.InnerHtml.AppendHtml(next.Text ?? new HtmlString(PaginationDefaultNextText));
+                title.InnerHtml.AppendHtml(next.Text ?? new HtmlString(HtmlEncoder.Default.Encode(PaginationDefaultNextText)));
 
                 link.InnerHtml.AppendHtml(title);
 
diff --git a/src/GovUk.Frontend.AspNetCore/TagHelpers/BackLinkTagHelper.cs b/src/GovUk.Frontend.AspNetCore/TagHelpers/BackLinkTagHelper.cs
@@ -1,3 +1,4 @@
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
@@ -15,7 +16,7 @@ public class BackLinkTagHelper : TagHelper
     {
         internal const string TagName = "govuk-back-link";
 
-        private static readonly HtmlString _defaultContent = new HtmlString(ComponentGenerator.BackLinkDefaultContent);
+        private static readonly HtmlString _defaultContent = new HtmlString(HtmlEncoder.Default.Encode(ComponentGenerator.BackLinkDefaultContent));
 
         private readonly IGovUkHtmlGenerator _htmlGenerator;
 
diff --git a/src/GovUk.Frontend.AspNetCore/TagHelpers/CharacterCountTagHelper.cs b/src/GovUk.Frontend.AspNetCore/TagHelpers/CharacterCountTagHelper.cs
@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Text.Encodings.Web;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
@@ -246,7 +247,8 @@ TagBuilder GenerateTextArea(bool haveError)
                 var resolvedName = ResolveName();
 
                 var resolvedContent = characterCountContext.Value ??
-                    new HtmlString(AspFor != null ? ModelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name) : string.Empty);
+                    new HtmlString(HtmlEncoder.Default.Encode(
+                        AspFor != null ? ModelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name) ?? string.Empty : string.Empty));
 
                 var resolvedTextAreaAttributes = TextAreaAttributes.ToAttributeDictionary();
                 resolvedTextAreaAttributes.MergeCssClass("govuk-js-character-count");
diff --git a/src/GovUk.Frontend.AspNetCore/TagHelpers/DateInputTagHelper.cs b/src/GovUk.Frontend.AspNetCore/TagHelpers/DateInputTagHelper.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Text.Encodings.Web;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using GovUk.Frontend.AspNetCore.ModelBinding;
 using Microsoft.AspNetCore.Html;
@@ -268,7 +269,7 @@ DateInputItem CreateDateInputItem(
 
                 var resolvedItemId = contextItem?.Id ?? $"{resolvedId}.{contextItem?.Name ?? defaultName}";
 
-                var resolvedItemLabel = contextItem?.LabelContent ?? new HtmlString(defaultLabel);
+                var resolvedItemLabel = contextItem?.LabelContent ?? new HtmlString(HtmlEncoder.Default.Encode(defaultLabel));
 
                 var resolvedItemHaveError = haveError && (errorItems & errorSource) != 0;
 
diff --git a/src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorMessageTagHelper.cs b/src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorMessageTagHelper.cs
@@ -1,5 +1,6 @@
 using System;
 using System.Diagnostics.CodeAnalysis;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
@@ -92,7 +93,7 @@ await output.GetChildContentAsync() :
 
                 if (validationMessage != null)
                 {
-                    resolvedContent = new HtmlString(validationMessage);
+                    resolvedContent = new HtmlString(HtmlEncoder.Default.Encode(validationMessage));
                 }
             }
 
diff --git a/src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorSummaryItemTagHelper.cs b/src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorSummaryItemTagHelper.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using GovUk.Frontend.AspNetCore.ModelBinding;
@@ -100,7 +101,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
                     return;
                 }
 
-                itemContent = new HtmlString(validationMessage);
+                itemContent = new HtmlString(HtmlEncoder.Default.Encode(validationMessage));
             }
 
             string? resolvedHref = null;
diff --git a/src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorSummaryTagHelper.cs b/src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorSummaryTagHelper.cs
@@ -1,3 +1,4 @@
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
@@ -62,7 +63,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
 
             var tagBuilder = _htmlGenerator.GenerateErrorSummary(
                 DisableAutoFocus,
-                errorSummaryContext.Title?.Content ?? new HtmlString(ComponentGenerator.ErrorSummaryDefaultTitle),
+                errorSummaryContext.Title?.Content ?? new HtmlString(HtmlEncoder.Default.Encode(ComponentGenerator.ErrorSummaryDefaultTitle)),
                 errorSummaryContext.Title?.Attributes,
                 errorSummaryContext.Description?.Content,
                 errorSummaryContext.Description?.Attributes,
diff --git a/src/GovUk.Frontend.AspNetCore/TagHelpers/FormErrorSummaryTagHelper.cs b/src/GovUk.Frontend.AspNetCore/TagHelpers/FormErrorSummaryTagHelper.cs
@@ -1,4 +1,5 @@
 using System.Linq;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
@@ -75,7 +76,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
 
             var errorSummary = _htmlGenerator.GenerateErrorSummary(
                 ComponentGenerator.ErrorSummaryDefaultDisableAutoFocus,
-                titleContent: new HtmlString(ComponentGenerator.ErrorSummaryDefaultTitle),
+                titleContent: new HtmlString(HtmlEncoder.Default.Encode(ComponentGenerator.ErrorSummaryDefaultTitle)),
                 titleAttributes: null,
                 descriptionContent: null,
                 descriptionAttributes: null,
diff --git a/src/GovUk.Frontend.AspNetCore/TagHelpers/FormGroupTagHelperBase.cs b/src/GovUk.Frontend.AspNetCore/TagHelpers/FormGroupTagHelperBase.cs
@@ -1,5 +1,6 @@
 using System;
 using System.Diagnostics.CodeAnalysis;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
@@ -129,7 +130,7 @@ private protected virtual TagBuilder CreateTagBuilder(bool haveError, IHtmlConte
 
                 if (validationMessage != null)
                 {
-                    content = new HtmlString(validationMessage);
+                    content = new HtmlString(HtmlEncoder.Default.Encode(validationMessage));
                 }
             }
 
@@ -175,7 +176,7 @@ void AddErrorToFormErrorContext()
 
                 if (description != null)
                 {
-                    content = new HtmlString(description);
+                    content = new HtmlString(HtmlEncoder.Default.Encode(description));
                 }
             }
 
@@ -208,15 +209,15 @@ internal IHtmlContent GenerateLabel(FormGroupContext formGroupContext)
             var attributes = formGroupContext.Label?.Attributes;
 
             var resolvedContent = content ??
-                new HtmlString(ModelHelper.GetDisplayName(ViewContext!, AspFor!.ModelExplorer, AspFor.Name));
+                new HtmlString(HtmlEncoder.Default.Encode(ModelHelper.GetDisplayName(ViewContext!, AspFor!.ModelExplorer, AspFor.Name) ?? string.Empty));
 
             return Generator.GenerateLabel(resolvedIdPrefix, isPageHeading, resolvedContent, attributes);
         }
 
         internal IHtmlContent ResolveFieldsetLegendContent(FormGroupFieldsetContext fieldsetContext)
         {
             var resolvedFieldsetLegendContent = fieldsetContext.Legend?.Content ??
-                (AspFor is not null ? new HtmlString(ModelHelper.GetDisplayName(ViewContext!, AspFor.ModelExplorer, AspFor.Name)) : null);
+                (AspFor is not null ? new HtmlString(HtmlEncoder.Default.Encode(ModelHelper.GetDisplayName(ViewContext!, AspFor.ModelExplorer, AspFor.Name) ?? string.Empty)) : null);
 
             if (resolvedFieldsetLegendContent is null)
             {
diff --git a/src/GovUk.Frontend.AspNetCore/TagHelpers/TextAreaTagHelper.cs b/src/GovUk.Frontend.AspNetCore/TagHelpers/TextAreaTagHelper.cs
@@ -1,4 +1,5 @@
 using System.Collections.Generic;
+using System.Text.Encodings.Web;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
@@ -134,7 +135,7 @@ TagBuilder GenerateTextArea(bool haveError)
                 var resolvedName = ResolveName();
 
                 var resolvedContent = textAreaContext.Value ??
-                    new HtmlString(AspFor != null ? ModelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name) : string.Empty);
+                    new HtmlString(AspFor != null ? HtmlEncoder.Default.Encode(ModelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name) ?? string.Empty) : string.Empty);
 
                 var resolvedTextAreaAttributes = TextAreaAttributes.ToAttributeDictionary();
                 resolvedTextAreaAttributes.MergeCssClass("govuk-js-textarea");

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`using System;`
`2`	`2`	`using System.Diagnostics.CodeAnalysis;`
	`3`	`+using System.Text.Encodings.Web;`
`3`	`4`	`using System.Threading.Tasks;`
`4`	`5`	`using GovUk.Frontend.AspNetCore.HtmlGeneration;`
`5`	`6`	`using Microsoft.AspNetCore.Html;`
`@@ -92,7 +93,7 @@ await output.GetChildContentAsync() :`
`92`	`93`
`93`	`94`	`if (validationMessage != null)`
`94`	`95`	`{`
`95`		`- resolvedContent = new HtmlString(validationMessage);`
	`96`	`+ resolvedContent = new HtmlString(HtmlEncoder.Default.Encode(validationMessage));`
`96`	`97`	`}`
`97`	`98`	`}`
`98`	`99`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`	`using System.Collections.Generic;`
`3`	`3`	`using System.Diagnostics;`
`4`	`4`	`using System.Linq;`
	`5`	`+using System.Text.Encodings.Web;`
`5`	`6`	`using System.Threading.Tasks;`
`6`	`7`	`using GovUk.Frontend.AspNetCore.HtmlGeneration;`
`7`	`8`	`using GovUk.Frontend.AspNetCore.ModelBinding;`
`@@ -100,7 +101,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu`
`100`	`101`	`return;`
`101`	`102`	`}`
`102`	`103`
`103`		`- itemContent = new HtmlString(validationMessage);`
	`104`	`+ itemContent = new HtmlString(HtmlEncoder.Default.Encode(validationMessage));`
`104`	`105`	`}`
`105`	`106`
`106`	`107`	`string? resolvedHref = null;`