Blazor Codegen does not escape quotes

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.

https://asp.net

MIT License

35.29k stars 9.96k forks source link

Blazor Codegen does not escape quotes #15558

Closed Suchiman closed 4 years ago

Suchiman commented 6 years ago

If you use double quotes inside single quotes in attributes, this will result in broken codegen due to unescaped double quotes inside double quotes. Input:

<input onfocus='alert("Test");' />

Output:

builder.OpenElement(0, "input");
builder.AddAttribute(1, "onfocus", Microsoft.AspNetCore.Blazor.Components.BindMethods.GetEventHandlerValue<Microsoft.AspNetCore.Blazor.UIFocusEventArgs>("alert("Test");"));
builder.CloseElement();

rynowak commented 6 years ago

Ooh that's not good. yeah we need to fix this.

I think issue is probably here: https://github.com/aspnet/Blazor/blob/master/src/Microsoft.AspNetCore.Blazor.Razor.Extensions/BlazorRuntimeNodeWriter.cs#L742

ghost commented 6 years ago

Believe aspnet/AspNetCore#5605 might be a similar issue with double and single quote combinations not being correctly escaped?

SteveSandersonMS commented 5 years ago

Note: for anyone who investigates/fixes this, please also look at aspnet/AspNetCore#5605 at the same time. It might be a separate issue, but most likely affects the same code, so it's worth seeing if both could be addressed in the same fix.

eeevans commented 5 years ago

I took a look at this and I don't think it's in the file you proposed. It is not at runtime and doesn't build. At any rate, I've changed all the lines in there to write "help" instead of content and the file still comes out the same. Do you have another suspicion?

rynowak commented 5 years ago

Well maybe I'm wrong about this bug... but that's the code generator for the build.

eeevans commented 5 years ago

Looked into this some more and saw that it is using Microsoft.AspNetCore.Blazor.Build as package ref so not going to use my changes. I tried removing that and adding project ref and had all kinds of build issues so guess I am not talented enough to resolve this. Ran into issues with npm, webpack, and dotnetstandard version and got past the first 2 but it keeps saying: C:\Program Files\dotnet\sdk\2.1.400\Sdks\Microsoft.NET.Sdk\targets\Microsoft.NET.TargetFrameworkInference.targets(150,5): error NETSDK1045: The current .NET SDK does not support targeting .NET Standard 2.1. Either target .NET Standard 2.0 or lower, or use a version of the .NET SDK that supports .NET Standard 2.1. [C:\Users\Ed\source\repos\Blazor\src\Microsoft.AspNetCore.Blazor.Templates\content\BlazorHosted-CSharp\BlazorHosted-CSharp.Client\BlazorHosted-CSharp.Client.csproj]

I had added code to just replace double-quotes with escaped double-quotes but can't figure out how to get it to use my changes during build.

Sorry

BickelLukas commented 5 years ago

@rynowak I want to take a stab at this. How would one go about debugging the Razor Extensions?

The error happens at build time and not runtime. Is there any way to attach a debugger during the build process so I can take a look at whats going on during compilation?

rynowak commented 5 years ago

The best way to do this is to write a new test and debug that instead.

Add a new test here: https://github.com/aspnet/Blazor/blob/master/test/Microsoft.AspNetCore.Blazor.Build.Test/CodeGenerationTestBase.cs Set generateBaselines: true in the constructor` Run the runtime/designtime code generation tests - you'll see that it will edit the baseline files on disk when run

rynowak commented 5 years ago

Thanks @BickelLukas