[Blazor] Emit action attribute when not explicit. (#51130)

This change updates the server rendering logic to always emit an absolute URL for a form action when none is specified explicitly.

## Description

When as part of rendering a form, the developer does not explicitly add an `action` attribute, the framework will automatically generate one with the value of the current request URL.

Fixes #51118

## Customer Impact

When enhanced navigation is active, the URL might change while an update to the page is in progress. In such situations, if the user clicks a button and submits a form, the form might incorrectly post to the wrong URL, as the page URL might have already been updated. 

Given that when the URL updates on the document is not a behavior, we have control over, we have to account for this, and to prevent it, we make sure that we always generate forms with an action attribute, which is unambiguous.

## Regression?

- [ ] Yes
- [X] No

[If yes, specify the version the behavior has regressed from]

## Risk

- [ ] High
- [ ] Medium
- [X] Low

The fix is to detect forms without an `action` attribute and emit it to the current URL. This is correct in all cases and is unambiguous.

## Verification

- [x] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A

----

## When servicing release/2.1

- [ ] Make necessary changes in eng/PatchConfig.props

Author: javiercn

src/Components/Samples/BlazorUnitedApp/Program.cs

@@ -24,6 +24,7 @@
 app.UseHttpsRedirection();
 
 app.UseStaticFiles();
+app.UseAntiforgery();
 
 app.MapRazorComponents<App>();
 

src/Components/Web.JS/dist/Release/blazor.web.js

@@ -35,6 +35,10 @@ let currentEnhancedNavigationAbortController: AbortController | null;
 let navigationEnhancementCallbacks: NavigationEnhancementCallbacks;
 let performingEnhancedPageLoad: boolean;
 
+// This gets initialized to the current URL when we load.
+// After that, it gets updated every time we successfully complete a navigation.
+let currentContentUrl = location.href;
+
 export interface NavigationEnhancementCallbacks {
   documentUpdated: () => void;
   enhancedNavigationCompleted: () => void;
@@ -217,10 +221,25 @@ export async function performEnhancedPageLoad(internalDestinationHref: string, f
         return;
       }
 
-      if (!response.redirected && !isGetRequest && response.url !== location.href && isSuccessResponse) {
-        isNonRedirectedPostToADifferentUrlMessage = `Cannot perform enhanced form submission that changes the URL (except via a redirection), because then back/forward would not work. Either remove this form\'s \'action\' attribute, or change its method to \'get\', or do not mark it as enhanced.\nOld URL: ${location.href}\nNew URL: ${response.url}`;
+      if (!response.redirected && !isGetRequest && isSuccessResponse) {
+        // If this is the result of a form post that didn't trigger a redirection.
+        if (!isForSamePath(response)) {
+          // In this case we don't want to push the currentContentUrl to the history stack because we don't know if this is a location
+          // we can navigate back to (as we don't know if the location supports GET) and we are not able to replicate the Resubmit form?
+          // browser behavior.
+          // The only case where this is acceptable is when the last content URL, is the same as the URL for the form we posted to.
+          isNonRedirectedPostToADifferentUrlMessage = `Cannot perform enhanced form submission that changes the URL (except via a redirection), because then back/forward would not work. Either remove this form\'s \'action\' attribute, or change its method to \'get\', or do not mark it as enhanced.\nOld URL: ${location.href}\nNew URL: ${response.url}`;
+        } else {
+          if (location.href !== currentContentUrl) {
+            // The url on the browser might be out of data, so push an entry to the stack to update the url in place.
+            history.pushState(null, '', currentContentUrl);
+          }
+        }
       }
 
+      // Set the currentContentUrl to the location of the last completed navigation.
+      currentContentUrl = response.url;
+
       const responseContentType = response.headers.get('content-type');
       if (responseContentType?.startsWith('text/html') && initialContent) {
         // For HTML responses, regardless of the status code, display it
@@ -277,6 +296,20 @@ export async function performEnhancedPageLoad(internalDestinationHref: string, f
       throw new Error(isNonRedirectedPostToADifferentUrlMessage);
     }
   }
+
+  function isForSamePath(response: Response) {
+    // We are trying to determine if the response URL is compatible with the last content URL that was successfully loaded on to
+    // the page.
+    // We are going to use the scheme, host, port and path to determine if they are compatible. We do not account for the query string
+    // as we want to allow for the query string to change. (Blazor doesn't use the query string for routing purposes).
+
+    const responseUrl = new URL(response.url);
+    const currentContentUrlParsed = new URL(currentContentUrl!);
+    return responseUrl.protocol === currentContentUrlParsed.protocol
+      && responseUrl.host === currentContentUrlParsed.host
+      && responseUrl.port === currentContentUrlParsed.port
+      && responseUrl.pathname === currentContentUrlParsed.pathname;
+  }
 }
 
 async function getResponsePartsWithFraming(responsePromise: Promise<Response>, abortSignal: AbortSignal, onInitialDocument: (response: Response, initialDocumentText: string) => void, onStreamingElement: (streamingElementMarkup) => void) {
@@ -369,7 +402,7 @@ function enhancedNavigationIsEnabledForLink(element: HTMLAnchorElement): boolean
 function enhancedNavigationIsEnabledForForm(form: HTMLFormElement): boolean {
   // For forms, they default *not* to being enhanced, and must be enabled explicitly on the form element itself (not an ancestor).
   const attributeValue = form.getAttribute('data-enhance');
-  return typeof(attributeValue) === 'string'
+  return typeof (attributeValue) === 'string'
     && attributeValue === '' || attributeValue?.toLowerCase() === 'true';
 }
 

src/Components/Web.JS/src/Services/NavigationEnhancement.ts

@@ -108,8 +108,9 @@ private int RenderElement(int componentId, TextWriter output, ArrayRange<RenderT
         output.Write(frame.ElementName);
         int afterElement;
         var isTextArea = string.Equals(frame.ElementName, "textarea", StringComparison.OrdinalIgnoreCase);
+        var isForm = string.Equals(frame.ElementName, "form", StringComparison.OrdinalIgnoreCase);
         // We don't want to include value attribute of textarea element.
-        var afterAttributes = RenderAttributes(output, frames, position + 1, frame.ElementSubtreeLength - 1, !isTextArea, out var capturedValueAttribute);
+        var afterAttributes = RenderAttributes(output, frames, position + 1, frame.ElementSubtreeLength - 1, !isTextArea, isForm: isForm, out var capturedValueAttribute);
 
         // When we see an <option> as a descendant of a <select>, and the option's "value" attribute matches the
         // "value" attribute on the <select>, then we auto-add the "selected" attribute to that option. This is
@@ -270,15 +271,23 @@ private static bool TryFindEnclosingElementFrame(ArrayRange<RenderTreeFrame> fra
     }
 
     private int RenderAttributes(
-        TextWriter output, ArrayRange<RenderTreeFrame> frames, int position, int maxElements, bool includeValueAttribute, out string? capturedValueAttribute)
+        TextWriter output,
+        ArrayRange<RenderTreeFrame> frames,
+        int position,
+        int maxElements,
+        bool includeValueAttribute,
+        bool isForm,
+        out string? capturedValueAttribute)
     {
         capturedValueAttribute = null;
 
         if (maxElements == 0)
         {
+            EmitFormActionIfNotExplicit(output, isForm, hasExplicitActionValue: false);
             return position;
         }
 
+        var hasExplicitActionValue = false;
         for (var i = 0; i < maxElements; i++)
         {
             var candidateIndex = position + i;
@@ -291,6 +300,7 @@ private int RenderAttributes(
                     continue;
                 }
 
+                EmitFormActionIfNotExplicit(output, isForm, hasExplicitActionValue);
                 return candidateIndex;
             }
 
@@ -304,6 +314,12 @@ private int RenderAttributes(
                 }
             }
 
+            if (isForm && frame.AttributeName.Equals("action", StringComparison.OrdinalIgnoreCase) &&
+                !string.IsNullOrEmpty(frame.AttributeValue as string))
+            {
+                hasExplicitActionValue = true;
+            }
+
             switch (frame.AttributeValue)
             {
                 case bool flag when flag:
@@ -323,7 +339,22 @@ private int RenderAttributes(
             }
         }
 
+        EmitFormActionIfNotExplicit(output, isForm, hasExplicitActionValue);
+
         return position + maxElements;
+
+        void EmitFormActionIfNotExplicit(TextWriter output, bool isForm, bool hasExplicitActionValue)
+        {
+            if (isForm && _navigationManager != null && !hasExplicitActionValue)
+            {
+                output.Write(' ');
+                output.Write("action");
+                output.Write('=');
+                output.Write('\"');
+                _htmlEncoder.Encode(output, _navigationManager.Uri);
+                output.Write('\"');
+            }
+        }
     }
 
     private int RenderChildren(int componentId, TextWriter output, ArrayRange<RenderTreeFrame> frames, int position, int maxElements)

src/Components/Web/src/HtmlRendering/StaticHtmlRenderer.HtmlWriting.cs

@@ -6,6 +6,7 @@
 using Microsoft.AspNetCore.Components.RenderTree;
 using Microsoft.AspNetCore.Components.Web;
 using Microsoft.AspNetCore.Components.Web.HtmlRendering;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.Components.HtmlRendering.Infrastructure;
@@ -18,6 +19,7 @@ namespace Microsoft.AspNetCore.Components.HtmlRendering.Infrastructure;
 public partial class StaticHtmlRenderer : Renderer
 {
     private static readonly Task CanceledRenderTask = Task.FromCanceled(new CancellationToken(canceled: true));
+    private readonly NavigationManager? _navigationManager;
 
     /// <summary>
     /// Constructs an instance of <see cref="StaticHtmlRenderer"/>.
@@ -27,6 +29,7 @@ public partial class StaticHtmlRenderer : Renderer
     public StaticHtmlRenderer(IServiceProvider serviceProvider, ILoggerFactory loggerFactory)
         : base(serviceProvider, loggerFactory)
     {
+        _navigationManager = serviceProvider.GetService<NavigationManager>();
     }
 
     /// <inheritdoc/>