Open kinguru opened 1 year ago
Hi,
its a bit trickey, as System.Net.WebUtility has HtmlEncode
but does not have HtmlAttributeEncode
it uses unsafe call of System.Web.Util.HttpEncoder.HtmlAttributeEncodeInternal
with following code
internal static string HtmlAttributeEncode(string value)
{
if (string.IsNullOrEmpty(value) || HttpEncoder.IndexOfHtmlAttributeEncodingChars(value, 0) == -1)
return value;
StringWriter output = new StringWriter((IFormatProvider)CultureInfo.InvariantCulture);
HttpEncoder.HtmlAttributeEncode(value, (TextWriter)output);
return output.ToString();
}
internal static void HtmlAttributeEncode(string value, TextWriter output)
{
if (value == null)
return;
if (output == null)
throw new ArgumentNullException(nameof(output));
HttpEncoder.HtmlAttributeEncodeInternal(value, output);
}
private static unsafe void HtmlAttributeEncodeInternal(string s, TextWriter output)
{
int num1 = HttpEncoder.IndexOfHtmlAttributeEncodingChars(s, 0);
if (num1 == -1)
{
output.Write(s);
}
else
{
int num2 = s.Length - num1;
IntPtr num3;
if (s == null)
{
num3 = IntPtr.Zero;
}
else
{
fixed (char* chPtr = &s.GetPinnableReference())
num3 = (IntPtr)chPtr;
}
char* chPtr1 = (char*)num3;
while (num1-- > 0)
output.Write(*chPtr1++);
while (num2-- > 0)
{
char ch = *chPtr1++;
if (ch <= '<')
{
if (ch <= '&')
{
if (ch != '"')
{
if (ch == '&')
{
output.Write("&");
continue;
}
}
else
{
output.Write(""");
continue;
}
}
else if (ch != '\'')
{
if (ch == '<')
{
output.Write("<");
continue;
}
}
else
{
output.Write("'");
continue;
}
output.Write(ch);
}
else
output.Write(ch);
}
// ISSUE: fixed variable is out of scope
// ISSUE: __unpin statement
__unpin(chPtr);
}
}
I'm surprised they use unsafe in this function. I think we should upldate this code to safe calls and include in RazorEngineCore.
HtmlEncode already uses WebUtility.HtmlEncode
internal static string HtmlEncode(string value) => !string.IsNullOrEmpty(value) ? WebUtility.HtmlEncode(value) : value;
internal static void HtmlEncode(string value, TextWriter output)
{
if (output == null)
throw new ArgumentNullException(nameof(output));
output.Write(WebUtility.HtmlEncode(value));
}
Thank you, currently I'd used your library without Raw, so assuming all are raw. But looking forward for updates.
Dear Alexander, could you please add the Raw example using "System.Net.WebUtility.HtmlEncode" as it recommended to use in non-web projects. System.Web even not available in a non-web projects so can't encode using current Raw sample.