Add support for JsConfig.EscapeHtmlChars

Author: mythz

src/ServiceStack.Text/JsConfig.cs

@@ -123,6 +123,10 @@ public static JsConfigScope CreateScope(string config, JsConfigScope scope = nul
                     case "escapeunicode":
                         scope.EscapeUnicode = boolValue;
                         break;
+                    case "ehc":
+                    case "escapehtmlchars":
+                        scope.EscapeHtmlChars = boolValue;
+                        break;
                     case "ipf":
                     case "includepublicfields":
                         scope.IncludePublicFields = boolValue;
@@ -748,15 +752,34 @@ public static bool EscapeUnicode
             get
             {
                 return (JsConfigScope.Current != null ? JsConfigScope.Current.EscapeUnicode : null)
-                    ?? sEscapeUnicode
-                    ?? false;
+                       ?? sEscapeUnicode
+                       ?? false;
             }
             set
             {
                 if (!sEscapeUnicode.HasValue) sEscapeUnicode = value;
             }
         }
 
+        /// <summary>
+        /// Gets or sets a value indicating if HTML entity chars [&gt; &lt; &amp; = '] should be escaped as "\uXXXX".
+        /// </summary>
+        private static bool? sEscapeHtmlChars;
+        public static bool EscapeHtmlChars
+        {
+            // obeying the use of ThreadStatic, but allowing for setting JsConfig once as is the normal case
+            get
+            {
+                return (JsConfigScope.Current != null ? JsConfigScope.Current.EscapeHtmlChars : null)
+                       ?? sEscapeHtmlChars
+                       ?? false;
+            }
+            set
+            {
+                if (!sEscapeHtmlChars.HasValue) sEscapeHtmlChars = value;
+            }
+        }
+
         /// <summary>
         /// Gets or sets a value indicating if the framework should call an error handler when
         /// an exception happens during the deserialization.
@@ -934,6 +957,7 @@ public static void Reset()
             sSkipDateTimeConversion = null;
             sAppendUtcOffset = null;
             sEscapeUnicode = null;
+            sEscapeHtmlChars = null;
             sOnDeserializationError = null;
             sIncludePublicFields = null;
             HasSerializeFn = new HashSet<Type>();

src/ServiceStack.Text/JsConfigScope.cs

@@ -76,6 +76,7 @@ public void Dispose()
         public bool? AssumeUtc { get; set; }
         public bool? AppendUtcOffset { get; set; }
         public bool? EscapeUnicode { get; set; }
+        public bool? EscapeHtmlChars { get; set; }
         public bool? PreferInterfaces { get; set; }
         public bool? IncludePublicFields { get; set; }
         public int? MaxDepth { get; set; }

src/ServiceStack.Text/Json/JsonUtils.cs

@@ -2,6 +2,7 @@
 //License: https://raw.github.com/ServiceStack/ServiceStack/master/license.txt
 
 using System.IO;
+using System.Runtime.CompilerServices;
 
 namespace ServiceStack.Text.Json
 {
@@ -43,7 +44,11 @@ public static void WriteString(TextWriter writer, string value)
                 writer.Write(Null);
                 return;
             }
-            if (!HasAnyEscapeChars(value))
+
+            var escapeHtmlChars = JsConfig.EscapeHtmlChars;
+            var escapeUnicode = JsConfig.EscapeUnicode;
+
+            if (!HasAnyEscapeChars(value, escapeHtmlChars))
             {
                 writer.Write(QuoteChar);
                 writer.Write(value);
@@ -90,22 +95,46 @@ public static void WriteString(TextWriter writer, string value)
                         continue;
                 }
 
+                if (escapeHtmlChars)
+                {
+                    switch (c)
+                    {
+                        case '<':
+                            writer.Write("\\u003c");
+                            continue;
+                        case '>':
+                            writer.Write("\\u003e");
+                            continue;
+                        case '&':
+                            writer.Write("\\u0026");
+                            continue;
+                        case '=':
+                            writer.Write("\\u003d");
+                            continue;
+                        case '\'':
+                            writer.Write("\\u0027");
+                            continue;
+                    }
+                }
+
                 if (c.IsPrintable())
                 {
                     writer.Write(c);
                     continue;
                 }
 
                 // http://json.org/ spec requires any control char to be escaped
-                if (JsConfig.EscapeUnicode || char.IsControl(c))
+                if (escapeUnicode || char.IsControl(c))
                 {
                     // Default, turn into a \uXXXX sequence
                     IntToHex(c, hexSeqBuffer);
                     writer.Write("\\u");
                     writer.Write(hexSeqBuffer);
                 }
                 else
+                {
                     writer.Write(c);
+                }
             }
 
             writer.Write(QuoteChar);
@@ -121,15 +150,16 @@ private static bool IsPrintable(this char c)
         /// Searches the string for one or more non-printable characters.
         /// </summary>
         /// <param name="value">The string to search.</param>
+        /// <param name="escapeHtmlChars"></param>
         /// <returns>True if there are any characters that require escaping. False if the value can be written verbatim.</returns>
         /// <remarks>
         /// Micro optimizations: since quote and backslash are the only printable characters requiring escaping, removed previous optimization
         /// (using flags instead of value.IndexOfAny(EscapeChars)) in favor of two equality operations saving both memory and CPU time.
         /// Also slightly reduced code size by re-arranging conditions.
         /// TODO: Possible Linq-only solution requires profiling: return value.Any(c => !c.IsPrintable() || c == QuoteChar || c == EscapeChar);
         /// </remarks>
-        private static bool HasAnyEscapeChars(string value)
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static bool HasAnyEscapeChars(string value, bool escapeHtmlChars)
         {
             var len = value.Length;
             for (var i = 0; i < len; i++)
@@ -138,7 +168,11 @@ private static bool HasAnyEscapeChars(string value)
 
                 // c is not printable
                 // OR c is a printable that requires escaping (quote and backslash).
-                if (!c.IsPrintable() || c == QuoteChar || c == EscapeChar) return true;
+                if (!c.IsPrintable() || c == QuoteChar || c == EscapeChar)
+                    return true;
+
+                if (escapeHtmlChars && (c == '<' || c == '>' || c == '&' || c == '=' || c == '\\'))
+                    return true;
             }
             return false;
         }

tests/ServiceStack.Text.Tests/JsConfigTests.cs

@@ -4,6 +4,34 @@
 
 namespace ServiceStack.Text.Tests
 {
+    public class Foo
+    {
+        public string FooBar { get; set; }
+    }
+
+    public class Bar
+    {
+        public string FooBar { get; set; }
+    }
+
+    [TestFixture]
+    public class JsConfigAdhocTests
+    {
+        [Test]
+        public void Can_escape_Html_Chars()
+        {
+            var dto = new Foo { FooBar = "<script>danger();</script>" };
+
+            Assert.That(dto.ToJson(), Is.EqualTo("{\"FooBar\":\"<script>danger();</script>\"}"));
+
+            JsConfig.EscapeHtmlChars = true;
+
+            Assert.That(dto.ToJson(), Is.EqualTo("{\"FooBar\":\"\\u003cscript\\u003edanger();\\u003c/script\\u003e\"}"));
+
+            JsConfig.Reset();
+        }
+    }
+
     [TestFixture]
     public class JsConfigTests
     {
@@ -37,25 +65,14 @@ public void Can_override_default_configuration()
         }
     }
 
-    public class Foo
-    {
-        public string FooBar { get; set; }
-    }
-
-    public class Bar
-    {
-        public string FooBar { get; set; }
-    }
-
-
     [TestFixture]
     public class SerializEmitLowerCaseUnderscoreNamesTests
     {
         [Test]
         public void TestJsonDataWithJsConfigScope()
         {
-            using (JsConfig.With(emitLowercaseUnderscoreNames:true, 
-                propertyConvention:PropertyConvention.Lenient))
+            using (JsConfig.With(emitLowercaseUnderscoreNames: true,
+                propertyConvention: PropertyConvention.Lenient))
                 AssertObjectJson();
         }