Fix attribute encoding for new component generation (#311)

Author: gunndabad

CHANGELOG.md

@@ -9,6 +9,9 @@ The `asp-for` attribute is now obsolete; the `for` attribute should be used in i
 
 ### Fixes
 
+#### Attribute encoding
+Newly-refactored tag helpers now correctly encode their attributes.
+
 #### Source map errors
 The hosted CSS and JavaScript files no longer have source maps.
 Any console errors from browsers failing to download the referenced files should be eliminated.

src/GovUk.Frontend.AspNetCore/ComponentGeneration/ButtonOptions.cs

@@ -6,7 +6,7 @@ namespace GovUk.Frontend.AspNetCore.ComponentGeneration;
 
 public class ButtonOptions
 {
-    public IHtmlContent? Element { get; set; }
+    public string? Element { get; set; }
     public IHtmlContent? Html { get; set; }
     public string? Text { get; set; }
     public IHtmlContent? Name { get; set; }
@@ -22,14 +22,12 @@ public class ButtonOptions
 
     internal void Validate()
     {
-        var elementStr = Element?.ToHtmlString();
-
-        if (elementStr is not null && elementStr != "a" && elementStr != "button" && elementStr != "input")
+        if (Element is not null && Element != "a" && Element != "button" && Element != "input")
         {
             throw new InvalidOptionsException(GetType(), $"{nameof(Element)} must be 'a', 'button', or 'input'.");
         }
 
-        if (elementStr == "input" && IsStartButton == true)
+        if (Element == "input" && IsStartButton == true)
         {
             throw new InvalidOptionsException(GetType(), $"{nameof(IsStartButton)} cannot be specified for 'input' elements.");
         }
@@ -39,12 +37,12 @@ internal void Validate()
             throw new InvalidOptionsException(GetType(), $"{nameof(PreventDoubleClick)} can only be specified for 'button' or 'input' elements.");
         }
 
-        if (elementStr == "a" && Disabled is not null)
+        if (Element == "a" && Disabled is not null)
         {
             throw new InvalidOptionsException(GetType(), $"{nameof(Disabled)} cannot be specified for 'a' elements.");
         }
 
-        if (Html.NormalizeEmptyString() is not null && elementStr == "input")
+        if (Html.NormalizeEmptyString() is not null && Element == "input")
         {
             throw new InvalidOptionsException(GetType(), $"{nameof(Html)} cannot be specified for 'input' elements.");
         }
@@ -56,5 +54,5 @@ internal void Validate()
     }
 
     internal string GetElement() =>
-        Element?.ToHtmlString().NormalizeEmptyString() ?? (Href.NormalizeEmptyString() is not null ? "a" : "button");
+        Element?.NormalizeEmptyString() ?? (Href.NormalizeEmptyString() is not null ? "a" : "button");
 }

src/GovUk.Frontend.AspNetCore/TagHelpers/BreadcrumbsTagHelper.cs

@@ -66,7 +66,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
             Classes = classes,
             Attributes = attributes,
             Items = breadcrumbsContext.Items,
-            LabelText = LabelText.ToHtmlContent()
+            LabelText = LabelText.EncodeHtml()
         });
 
         component.WriteTo(output);

src/GovUk.Frontend.AspNetCore/TagHelpers/ButtonLinkTagHelper.cs

@@ -55,13 +55,13 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
 
         var component = _componentGenerator.GenerateButton(new ButtonOptions()
         {
-            Element = Element.ToHtmlContent(),
+            Element = Element,
             Html = content,
             Href = href,
             Classes = classes,
             Attributes = attributes,
             IsStartButton = IsStartButton,
-            Id = Id.ToHtmlContent()
+            Id = Id.EncodeHtml()
         });
 
         component.WriteTo(output);

src/GovUk.Frontend.AspNetCore/TagHelpers/ButtonTagHelper.cs

@@ -94,17 +94,17 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
 
         var component = _componentGenerator.GenerateButton(new ButtonOptions()
         {
-            Element = Element.ToHtmlContent(),
+            Element = Element,
             Html = content,
-            Name = Name.ToHtmlContent(),
-            Type = Type.ToHtmlContent(),
-            Value = Value.ToHtmlContent(),
+            Name = Name.EncodeHtml(),
+            Type = Type.EncodeHtml(),
+            Value = Value.EncodeHtml(),
             Disabled = Disabled,
             Classes = classes,
             Attributes = attributes,
             PreventDoubleClick = PreventDoubleClick,
             IsStartButton = IsStartButton,
-            Id = Id.ToHtmlContent()
+            Id = Id.EncodeHtml()
         });
 
         component.WriteTo(output);

src/GovUk.Frontend.AspNetCore/TagHelpers/CharacterCountTagHelper.cs

@@ -253,7 +253,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
             await output.GetChildContentAsync();
         }
 
-        var name = ResolveName();
+        var name = ResolveNameUnencoded();
         var id = ResolveId(name);
         var value = ResolveValue(characterCountContext);
         var labelOptions = characterCountContext.GetLabelOptions(For, ViewContext!, _modelHelper, id, AspForAttributeName);
@@ -278,7 +278,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
 
         if (Autocomplete is not null)
         {
-            attributes.Add("autocomplete", Autocomplete!.ToHtmlContent()!);
+            attributes.Add("autocomplete", Autocomplete!.EncodeHtml()!);
         }
 
         if (Disabled)
@@ -293,7 +293,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
         var component = _componentGenerator.GenerateCharacterCount(new CharacterCountOptions
         {
             Id = id,
-            Name = name,
+            Name = name.EncodeHtml(),
             Rows = Rows,
             Value = value,
             MaxLength = MaxLength,
@@ -325,21 +325,21 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
         if (errorMessageOptions is not null && context.TryGetContextItem<ContainerErrorContext>(out var containerErrorContext))
         {
             Debug.Assert(errorMessageOptions.Html is not null);
-            containerErrorContext.AddError(errorMessageOptions.Html!, href: new HtmlString("#" + id));
+            containerErrorContext.AddError(errorMessageOptions.Html!, href: new HtmlString("#" + id.ToHtmlString()));
         }
     }
 
-    private IHtmlContent ResolveId(IHtmlContent name)
+    private IHtmlContent ResolveId(string nameUnencoded)
     {
         if (Id is not null)
         {
-            return new HtmlString(Id);
+            return Id.EncodeHtml();
         }
 
-        return new HtmlString(TagBuilder.CreateSanitizedId(name.ToHtmlString(), Constants.IdAttributeDotReplacement));
+        return TagBuilder.CreateSanitizedId(nameUnencoded, Constants.IdAttributeDotReplacement).EncodeHtml();
     }
 
-    private IHtmlContent ResolveName()
+    private string ResolveNameUnencoded()
     {
         if (Name is null && For is null)
         {
@@ -348,7 +348,7 @@ private IHtmlContent ResolveName()
                 AspForAttributeName);
         }
 
-        return new HtmlString(Name ?? _modelHelper.GetFullHtmlFieldName(ViewContext!, For!.Name));
+        return Name ?? _modelHelper.GetFullHtmlFieldName(ViewContext!, For!.Name);
     }
 
     private IHtmlContent? ResolveValue(CharacterCountContext characterCountContext)
@@ -358,6 +358,6 @@ private IHtmlContent ResolveName()
             return characterCountContext.Value;
         }
 
-        return For is not null ? new HtmlString(_modelHelper.GetModelValue(ViewContext!, For.ModelExplorer, For.Name)) : null;
+        return For is not null ? _modelHelper.GetModelValue(ViewContext!, For.ModelExplorer, For.Name).EncodeHtml() : null;
     }
 }

src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorMessageTagHelper.cs

@@ -106,7 +106,7 @@ await output.GetChildContentAsync() :
 
             if (validationMessage != null)
             {
-                resolvedContent = new HtmlString(HtmlEncoder.Default.Encode(validationMessage));
+                resolvedContent = validationMessage.EncodeHtml();
             }
         }
 

src/GovUk.Frontend.AspNetCore/TagHelpers/Extensions.cs

@@ -0,0 +1,12 @@
+using System.Diagnostics.CodeAnalysis;
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Html;
+
+namespace GovUk.Frontend.AspNetCore.TagHelpers;
+
+internal static class Extensions
+{
+    [return: NotNullIfNotNull(nameof(value))]
+    public static IHtmlContent? EncodeHtml(this string? value) =>
+        value is not null ? new HtmlString(HtmlEncoder.Default.Encode(value)) : null;
+}

src/GovUk.Frontend.AspNetCore/TagHelpers/FormGroupErrorMessageTagHelper.cs

@@ -67,7 +67,7 @@ private protected virtual void SetErrorMessage(TagHelperContent? childContent, T
         else if (context.TryGetContextItem<FormGroupContext2>(out var formGroupContext2))
         {
             formGroupContext2.SetErrorMessage(
-                VisuallyHiddenText.ToHtmlContent(),
+                VisuallyHiddenText.EncodeHtml(),
                 new EncodedAttributesDictionary(output.Attributes),
                 childContent?.Snapshot(),
                 output.TagName);