Valid HTML Input name in FormInputElementPart (#17567)

Author: MikeAlhayek

src/OrchardCore.Modules/OrchardCore.Forms/Drivers/FormInputElementPartDisplayDriver.cs

@@ -1,6 +1,7 @@
 using Microsoft.Extensions.Localization;
 using OrchardCore.ContentManagement.Display.ContentDisplay;
 using OrchardCore.ContentManagement.Display.Models;
+using OrchardCore.ContentManagement.Utilities;
 using OrchardCore.DisplayManagement.Views;
 using OrchardCore.Forms.Models;
 using OrchardCore.Forms.ViewModels;
@@ -35,8 +36,17 @@ public override async Task<IDisplayResult> UpdateAsync(FormInputElementPart part
         {
             context.Updater.ModelState.AddModelError(Prefix, nameof(viewModel.Name), S["A value is required for Name."]);
         }
+        else
+        {
+            var safeName = viewModel.Name.GetSafeHTMLInputName();
+
+            if (viewModel.Name != safeName)
+            {
+                context.Updater.ModelState.AddModelError(Prefix, nameof(viewModel.Name), S["A Name contains invalid characters."]);
+            }
+        }
 
-        part.Name = viewModel.Name?.Trim();
+        part.Name = viewModel.Name;
         part.ContentItem.DisplayText = part.Name;
 
         return Edit(part, context);

src/OrchardCore.Modules/OrchardCore.Forms/Migrations.cs

@@ -23,14 +23,21 @@ await _contentDefinitionManager.AlterPartDefinitionAsync("FormPart", part => par
 
         await _contentDefinitionManager.AlterTypeDefinitionAsync("Form", type => type
             .WithPart("TitlePart", part => part
-                .WithSettings(new TitlePartSettings { RenderTitle = false })
+                .WithSettings(new TitlePartSettings
+                {
+                    RenderTitle = false,
+                })
                 .WithPosition("0")
             )
-            .WithPart("FormElementPart", part =>
-               part.WithPosition("1")
+            .WithPart("FormElementPart", part => part
+                .WithPosition("1")
+            )
+            .WithPart("FormPart", part => part
+                .WithPosition("2")
+            )
+            .WithPart("FlowPart", part => part
+                .WithPosition("3")
             )
-            .WithPart("FormPart")
-            .WithPart("FlowPart")
             .Stereotype("Widget"));
 
         // FormElement

src/OrchardCore.Modules/OrchardCore.Forms/Views/Items/FormInputElementPart.Fields.Edit.cshtml

@@ -3,9 +3,9 @@
 @model FormInputElementPartEditViewModel
 
 <div class="@Orchard.GetWrapperClasses()">
-    <label asp-for="Name" class="@Orchard.GetLabelClasses()">@T["Name"]</label>
+    <label asp-for="Name" class="@Orchard.GetLabelClasses()">@T["HTML Name"]</label>
     <div class="@Orchard.GetEndClasses()">
         <input asp-for="Name" type="text" class="form-control content-preview-text content-caption-text" />
-        <span class="hint">@T["The name to render on this form element."]</span>
+        <span class="hint">@T["The valid characters for the HTML input name attribute are letters (a-z, A-Z), digits (0-9), hyphen (-), underscore (_), period (.), and square brackets ([ ])."]</span>
     </div>
 </div>

src/OrchardCore/OrchardCore.ContentManagement.Abstractions/Utilities/StringExtensions.cs

@@ -385,4 +385,27 @@ public static string ReplaceLastOccurrence(this string source, string searchedVa
 
         return source.Remove(lastIndex, searchedValue.Length).Insert(lastIndex, replacedValue);
     }
+
+    private const string _validHtmlInputNameCharacters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.[]";
+
+    public static string GetSafeHTMLInputName(this string input)
+    {
+        ArgumentException.ThrowIfNullOrEmpty(input);
+
+        var inputSpan = input.AsSpan();
+
+        var sanitizedName = new StringBuilder(inputSpan.Length);
+
+        foreach (var c in inputSpan)
+        {
+            if (!_validHtmlInputNameCharacters.Contains(c))
+            {
+                continue;
+            }
+
+            sanitizedName.Append(c);
+        }
+
+        return sanitizedName.ToString();
+    }
 }