Fix attribute encoding for new component generation

Author: gunndabad

.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
     branches:
     - dev
     - main
+    - v*
     tags:
     - v*
     paths-ignore:

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 2.8.1
+
+### Fixes
+
+#### Attribute encoding
+Newly-refactored tag helpers now correctly encode their attributes.
+
 ## 2.8.0
 
 Targets GOV.UK Frontend v5.8.0.

src/GovUk.Frontend.AspNetCore/ComponentGeneration/ButtonOptions.cs

@@ -6,7 +6,7 @@ namespace GovUk.Frontend.AspNetCore.ComponentGeneration;
 
 public record ButtonOptions
 {
-    public IHtmlContent? Element { get; set; }
+    public string? Element { get; set; }
     public IHtmlContent? Html { get; set; }
     public string? Text { get; set; }
     public IHtmlContent? Name { get; set; }
@@ -22,14 +22,12 @@ public record ButtonOptions
 
     internal void Validate()
     {
-        var elementStr = Element?.ToHtmlString();
-
-        if (elementStr is not null && elementStr != "a" && elementStr != "button" && elementStr != "input")
+        if (Element is not null && Element != "a" && Element != "button" && Element != "input")
         {
             throw new InvalidOptionsException(GetType(), $"{nameof(Element)} must be 'a', 'button', or 'input'.");
         }
 
-        if (elementStr == "input" && IsStartButton == true)
+        if (Element == "input" && IsStartButton == true)
         {
             throw new InvalidOptionsException(GetType(), $"{nameof(IsStartButton)} cannot be specified for 'input' elements.");
         }
@@ -39,12 +37,12 @@ internal void Validate()
             throw new InvalidOptionsException(GetType(), $"{nameof(PreventDoubleClick)} can only be specified for 'button' or 'input' elements.");
         }
 
-        if (elementStr == "a" && Disabled is not null)
+        if (Element == "a" && Disabled is not null)
         {
             throw new InvalidOptionsException(GetType(), $"{nameof(Disabled)} cannot be specified for 'a' elements.");
         }
 
-        if (Html.NormalizeEmptyString() is not null && elementStr == "input")
+        if (Html.NormalizeEmptyString() is not null && Element == "input")
         {
             throw new InvalidOptionsException(GetType(), $"{nameof(Html)} cannot be specified for 'input' elements.");
         }
@@ -56,5 +54,5 @@ internal void Validate()
     }
 
     internal string GetElement() =>
-        Element?.ToHtmlString().NormalizeEmptyString() ?? (Href.NormalizeEmptyString() is not null ? "a" : "button");
+        Element?.NormalizeEmptyString() ?? (Href.NormalizeEmptyString() is not null ? "a" : "button");
 }

src/GovUk.Frontend.AspNetCore/TagHelpers/BreadcrumbsTagHelper.cs

@@ -66,7 +66,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
             Classes = classes,
             Attributes = attributes,
             Items = breadcrumbsContext.Items,
-            LabelText = LabelText.ToHtmlContent()
+            LabelText = LabelText.EncodeHtml()
         });
 
         component.WriteTo(output);

src/GovUk.Frontend.AspNetCore/TagHelpers/CharacterCountTagHelper.cs

@@ -253,7 +253,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
             await output.GetChildContentAsync();
         }
 
-        var name = ResolveName();
+        var name = ResolveNameUnencoded();
         var id = ResolveId(name);
         var value = ResolveValue(characterCountContext);
         var labelOptions = characterCountContext.GetLabelOptions(AspFor, ViewContext!, _modelHelper, id, AspForAttributeName);
@@ -278,7 +278,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
 
         if (Autocomplete is not null)
         {
-            attributes.Add("autocomplete", Autocomplete!.ToHtmlContent()!);
+            attributes.Add("autocomplete", Autocomplete!.EncodeHtml());
         }
 
         if (Disabled)
@@ -293,7 +293,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
         var component = _componentGenerator.GenerateCharacterCount(new CharacterCountOptions
         {
             Id = id,
-            Name = name,
+            Name = name.EncodeHtml(),
             Rows = Rows,
             Value = value,
             MaxLength = MaxLength,
@@ -325,21 +325,21 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
         if (errorMessageOptions is not null && context.TryGetContextItem<ContainerErrorContext>(out var containerErrorContext))
         {
             Debug.Assert(errorMessageOptions.Html is not null);
-            containerErrorContext.AddError(errorMessageOptions.Html!, href: new HtmlString("#" + id));
+            containerErrorContext.AddError(errorMessageOptions.Html!, href: new HtmlString("#" + id.ToHtmlString()));
         }
     }
 
-    private IHtmlContent ResolveId(IHtmlContent name)
+    private IHtmlContent ResolveId(string nameUnencoded)
     {
         if (Id is not null)
         {
-            return new HtmlString(Id);
+            return Id.EncodeHtml();
         }
 
-        return new HtmlString(TagBuilder.CreateSanitizedId(name.ToHtmlString(), Constants.IdAttributeDotReplacement));
+        return TagBuilder.CreateSanitizedId(nameUnencoded, Constants.IdAttributeDotReplacement).EncodeHtml();
     }
 
-    private IHtmlContent ResolveName()
+    private string ResolveNameUnencoded()
     {
         if (Name is null && AspFor is null)
         {
@@ -348,7 +348,7 @@ private IHtmlContent ResolveName()
                 AspForAttributeName);
         }
 
-        return new HtmlString(Name ?? _modelHelper.GetFullHtmlFieldName(ViewContext!, AspFor!.Name));
+        return Name ?? _modelHelper.GetFullHtmlFieldName(ViewContext!, AspFor!.Name);
     }
 
     private IHtmlContent? ResolveValue(CharacterCountContext characterCountContext)
@@ -358,6 +358,6 @@ private IHtmlContent ResolveName()
             return characterCountContext.Value;
         }
 
-        return AspFor != null ? new HtmlString(_modelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name)) : null;
+        return AspFor != null ? _modelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name).EncodeHtml() : null;
     }
 }

src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorMessageTagHelper.cs

@@ -98,7 +98,7 @@ await output.GetChildContentAsync() :
 
             if (validationMessage != null)
             {
-                resolvedContent = new HtmlString(HtmlEncoder.Default.Encode(validationMessage));
+                resolvedContent = validationMessage.EncodeHtml();
             }
         }
 

src/GovUk.Frontend.AspNetCore/TagHelpers/Extensions.cs

@@ -0,0 +1,12 @@
+using System.Diagnostics.CodeAnalysis;
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Html;
+
+namespace GovUk.Frontend.AspNetCore.TagHelpers;
+
+internal static class Extensions
+{
+    [return: NotNullIfNotNull(nameof(value))]
+    public static IHtmlContent? EncodeHtml(this string? value) =>
+        value is not null ? new HtmlString(HtmlEncoder.Default.Encode(value)) : null;
+}

src/GovUk.Frontend.AspNetCore/TagHelpers/FormGroupErrorMessageTagHelper.cs

@@ -67,7 +67,7 @@ private protected virtual void SetErrorMessage(TagHelperContent? childContent, T
         else if (context.TryGetContextItem<FormGroupContext2>(out var formGroupContext2))
         {
             formGroupContext2.SetErrorMessage(
-                VisuallyHiddenText.ToHtmlContent(),
+                VisuallyHiddenText.EncodeHtml(),
                 new EncodedAttributesDictionary(output.Attributes),
                 childContent?.Snapshot(),
                 output.TagName);

src/GovUk.Frontend.AspNetCore/TagHelpers/TagHelperExtensions.cs

@@ -226,7 +226,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
             await output.GetChildContentAsync();
         }
 
-        var name = ResolveName();
+        var name = ResolveNameUnencoded();
         var id = ResolveId(name);
         var value = ResolveValue();
         var labelOptions = textInputContext.GetLabelOptions(AspFor, ViewContext!, _modelHelper, id, AspForAttributeName);
@@ -258,23 +258,23 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
         var component = _componentGenerator.GenerateTextInput(new TextInputOptions()
         {
             Id = id,
-            Name = name,
-            Type = Type.ToHtmlContent(),
-            Inputmode = InputMode.ToHtmlContent(),
+            Name = name.EncodeHtml(),
+            Type = Type.EncodeHtml(),
+            Inputmode = InputMode.EncodeHtml(),
             Value = value,
             Disabled = Disabled,
-            DescribedBy = DescribedBy.ToHtmlContent(),
+            DescribedBy = DescribedBy.EncodeHtml(),
             Label = labelOptions,
             Hint = hintOptions,
             ErrorMessage = errorMessageOptions,
             Prefix = prefixOptions,
             Suffix = suffixOptions,
             FormGroup = formGroupOptions,
             Classes = classes,
-            Autocomplete = Autocomplete.ToHtmlContent(),
-            Pattern = Pattern.ToHtmlContent(),
+            Autocomplete = Autocomplete.EncodeHtml(),
+            Pattern = Pattern.EncodeHtml(),
             Spellcheck = Spellcheck,
-            Autocapitalize = Autocapitalize.ToHtmlContent(),
+            Autocapitalize = Autocapitalize.EncodeHtml(),
             InputWrapper = new TextInputOptionsInputWrapper()
             {
                 Classes = inputWrapperClasses,
@@ -288,21 +288,21 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
         if (errorMessageOptions is not null && context.TryGetContextItem<ContainerErrorContext>(out var containerErrorContext))
         {
             Debug.Assert(errorMessageOptions.Html is not null);
-            containerErrorContext.AddError(errorMessageOptions.Html!, href: new HtmlString("#" + id));
+            containerErrorContext.AddError(errorMessageOptions.Html!, href: new HtmlString("#" + id.ToHtmlString()));
         }
     }
 
-    private IHtmlContent ResolveId(IHtmlContent name)
+    private IHtmlContent ResolveId(string nameUnencoded)
     {
         if (Id is not null)
         {
             return new HtmlString(Id);
         }
 
-        return new HtmlString(TagBuilder.CreateSanitizedId(name.ToHtmlString(), Constants.IdAttributeDotReplacement));
+        return TagBuilder.CreateSanitizedId(nameUnencoded, Constants.IdAttributeDotReplacement).EncodeHtml();
     }
 
-    private IHtmlContent ResolveName()
+    private string ResolveNameUnencoded()
     {
         if (Name is null && AspFor is null)
         {
@@ -311,16 +311,16 @@ private IHtmlContent ResolveName()
                 AspForAttributeName);
         }
 
-        return new HtmlString(Name ?? _modelHelper.GetFullHtmlFieldName(ViewContext!, AspFor!.Name));
+        return Name ?? _modelHelper.GetFullHtmlFieldName(ViewContext!, AspFor!.Name);
     }
 
     private IHtmlContent? ResolveValue()
     {
         if (_valueSpecified)
         {
-            return new HtmlString(_value);
+            return _value.EncodeHtml();
         }
 
-        return AspFor != null ? new HtmlString(_modelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name)) : null;
+        return AspFor != null ? _modelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name).EncodeHtml() : null;
     }
 }