fix: Escape certain characters for attribute values

linkdotnet · linkdotnet · commit dbfe251a3c22 · 2023-01-10T13:44:39.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ All notable changes to **bUnit** will be documented in this file. The project ad
 ### Fixed
 
 -   Added support in `FakeNavigationManager` to handle umlauts.
+-   Fixed a bug where attribute values did not get escaped. Reported by [@brettwinters](https://github.com/brettwinters). Fixed by [@linkdotnet](https://github.com/linkdotnet).
 
 ## [1.13.5] - 2022-12-16
 
diff --git a/src/bunit.web/Rendering/Internal/Htmlizer.cs b/src/bunit.web/Rendering/Internal/Htmlizer.cs
@@ -6,6 +6,7 @@
 using System.Globalization;
 using System.Text;
 using System.Text.Encodings.Web;
+using System.Text.Unicode;
 using Bunit.Rendering;
 
 namespace Bunit;
@@ -270,7 +271,7 @@ private static int RenderAttributes(
 					result.Append(frame.AttributeName);
 					result.Append('=');
 					result.Append('"');
-					result.Append(value);
+					result.Append(Escape(value));
 					result.Append('"');
 					break;
 				default:
@@ -281,6 +282,11 @@ private static int RenderAttributes(
 		return position + maxElements;
 	}
 
+	private static string Escape(string value) =>
+		value
+			.Replace("&", "&amp;", StringComparison.OrdinalIgnoreCase)
+			.Replace("\"", "&quot;", StringComparison.OrdinalIgnoreCase);
+
 	private sealed class HtmlRenderingContext
 	{
 		private readonly RenderTreeFrameDictionary frames;
diff --git a/tests/bunit.testassets/BlazorE2E/ComponentWithEscapableCharacters.razor b/tests/bunit.testassets/BlazorE2E/ComponentWithEscapableCharacters.razor
@@ -1,5 +1,8 @@
 <p style="@Escaped">@Escaped</p>
 
 @code {
-	private string Escaped => "url('')";
+
+	[Parameter]
+	public string Escaped { get; set; }
+
 }
diff --git a/tests/bunit.web.tests/BlazorE2E/ComponentRenderingTest.cs b/tests/bunit.web.tests/BlazorE2E/ComponentRenderingTest.cs
@@ -691,11 +691,13 @@ public async Task CanHandleRemovedParentObjectsAsync()
 	}
 
 	[Fact]
-	public void EscapableCharactersDontGetEncoded()
+	public void SomeEscapableCharactersDontGetEncoded()
 	{
-		var cut = RenderComponent<ComponentWithEscapableCharacters>();
+		const string input = "url('\"&')";
+		var cut = RenderComponent<ComponentWithEscapableCharacters>(
+			p => p.Add(s => s.Escaped, input));
 
-		cut.Markup.ShouldBe("<p style=\"url('')\">url('')</p>");
+		cut.Markup.ShouldBe("<p style=\"url('&quot;&amp;')\">url('\"&')</p>");
 	}
 
 	[Fact]

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,8 @@`
`1`	`1`	`<p style="@Escaped">@Escaped</p>`
`2`	`2`
`3`	`3`	`@code {`
`4`		`- private string Escaped => "url('')";`
	`4`	`+`
	`5`	`+ [Parameter]`
	`6`	`+ public string Escaped { get; set; }`
	`7`	`+`
`5`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -691,11 +691,13 @@ public async Task CanHandleRemovedParentObjectsAsync()`
`691`	`691`	`}`
`692`	`692`
`693`	`693`	`[Fact]`
`694`		`- public void EscapableCharactersDontGetEncoded()`
	`694`	`+ public void SomeEscapableCharactersDontGetEncoded()`
`695`	`695`	`{`
`696`		`- var cut = RenderComponent<ComponentWithEscapableCharacters>();`
	`696`	`+ const string input = "url('\"&')";`
	`697`	`+ var cut = RenderComponent<ComponentWithEscapableCharacters>(`
	`698`	`+ p => p.Add(s => s.Escaped, input));`
`697`	`699`
`698`		`- cut.Markup.ShouldBe("<p style=\"url('')\">url('')</p>");`
	`700`	`+ cut.Markup.ShouldBe("<p style=\"url('"&')\">url('\"&')</p>");`
`699`	`701`	`}`
`700`	`702`
`701`	`703`	`[Fact]`