adoconnection
commented
1 year ago Hi,
its a bit trickey, as System.Net.WebUtility has HtmlEncode but does not have HtmlAttributeEncode
it uses unsafe call of System.Web.Util.HttpEncoder.HtmlAttributeEncodeInternal
with following code
internal static string HtmlAttributeEncode(string value)
{
if (string.IsNullOrEmpty(value) || HttpEncoder.IndexOfHtmlAttributeEncodingChars(value, 0) == -1)
return value;
StringWriter output = new StringWriter((IFormatProvider)CultureInfo.InvariantCulture);
HttpEncoder.HtmlAttributeEncode(value, (TextWriter)output);
return output.ToString();
}
internal static void HtmlAttributeEncode(string value, TextWriter output)
{
if (value == null)
return;
if (output == null)
throw new ArgumentNullException(nameof(output));
HttpEncoder.HtmlAttributeEncodeInternal(value, output);
}
private static unsafe void HtmlAttributeEncodeInternal(string s, TextWriter output)
{
int num1 = HttpEncoder.IndexOfHtmlAttributeEncodingChars(s, 0);
if (num1 == -1)
{
output.Write(s);
}
else
{
int num2 = s.Length - num1;
IntPtr num3;
if (s == null)
{
num3 = IntPtr.Zero;
}
else
{
fixed (char* chPtr = &s.GetPinnableReference())
num3 = (IntPtr)chPtr;
}
char* chPtr1 = (char*)num3;
while (num1-- > 0)
output.Write(*chPtr1++);
while (num2-- > 0)
{
char ch = *chPtr1++;
if (ch <= '<')
{
if (ch <= '&')
{
if (ch != '"')
{
if (ch == '&')
{
output.Write("&");
continue;
}
}
else
{
output.Write(""");
continue;
}
}
else if (ch != '\'')
{
if (ch == '<')
{
output.Write("<");
continue;
}
}
else
{
output.Write("'");
continue;
}
output.Write(ch);
}
else
output.Write(ch);
}
// ISSUE: fixed variable is out of scope
// ISSUE: __unpin statement
__unpin(chPtr);
}
}I'm surprised they use unsafe in this function. I think we should upldate this code to safe calls and include in RazorEngineCore.
HtmlEncode already uses WebUtility.HtmlEncode
internal static string HtmlEncode(string value) => !string.IsNullOrEmpty(value) ? WebUtility.HtmlEncode(value) : value;
internal static void HtmlEncode(string value, TextWriter output)
{
if (output == null)
throw new ArgumentNullException(nameof(output));
output.Write(WebUtility.HtmlEncode(value));
}
kinguru
Dear Alexander, could you please add the Raw example using "System.Net.WebUtility.HtmlEncode" as it recommended to use in non-web projects. System.Web even not available in a non-web projects so can't encode using current Raw sample.