Add HTML safety

hugoalh · hugoalh · commit 33a3fefdcc58 · 2022-06-19T17:35:19.000+08:00
diff --git a/hugoalh.GitHubActionsToolkit/module/step-summary.psm1 b/hugoalh.GitHubActionsToolkit/module/step-summary.psm1
@@ -50,7 +50,7 @@ Function Add-StepSummaryHeader {
 	[OutputType([Void])]
 	Param (
 		[Parameter(Mandatory = $True, Position = 0)][ValidateRange(1, 6)][UInt16]$Level,
-		[Parameter(Mandatory = $True, Position = 1)][Alias('Title', 'Value')][String]$Header
+		[Parameter(Mandatory = $True, Position = 1)][ValidatePattern('^.+$', ErrorMessage = 'Parameter `Header` must be in single line string!')][Alias('Title', 'Value')][String]$Header
 	)
 	Return (Add-StepSummary -Value "$('#' * $Level) $Header")
 }
@@ -88,25 +88,25 @@ Function Add-StepSummaryImage {
 		$Width -igt -1 -or
 		$Height -igt -1
 	) {
-		[String]$ResultHtml = "<img src=`"$Uri`""
+		[String]$ResultHtml = "<img src=`"$([Uri]::EscapeUriString($Uri))`""
 		If ($Title.Length -igt 0) {
-			$ResultHtml += " title=`"$Title`""
+			$ResultHtml += " title=`"$([System.Web.HttpUtility]::HtmlAttributeEncode($Title))`""
 		}
 		If ($AlternativeText.Length -igt 0) {
-			$ResultHtml += " alt=`"$AlternativeText`""
+			$ResultHtml += " alt=`"$([System.Web.HttpUtility]::HtmlAttributeEncode($AlternativeText))`""
 		}
 		If ($Width -igt -1) {
 			$ResultHtml += " width=`"$Width`""
 		}
 		If ($Height -igt -1) {
 			$ResultHtml += " height=`"$Height`""
 		}
-		$ResultHtml += '>'
+		$ResultHtml += ' />'
 		Return (Add-StepSummary -Value $ResultHtml -NoNewLine:$NoNewLine)
 	}
-	[String]$ResultMarkdown = "![$AlternativeText]($Uri"
+	[String]$ResultMarkdown = "![$([System.Web.HttpUtility]::HtmlAttributeEncode($AlternativeText))]($([Uri]::EscapeUriString($Uri))"
 	If ($Title.Length -igt 0) {
-		$ResultMarkdown += " `"$Title`""
+		$ResultMarkdown += " `"$([System.Web.HttpUtility]::HtmlAttributeEncode($Title))`""
 	}
 	$ResultMarkdown += ')'
 	Return (Add-StepSummary -Value $ResultMarkdown -NoNewLine:$NoNewLine)
@@ -136,9 +136,9 @@ Function Add-StepSummaryLink {
 		[String]$Title,
 		[Switch]$NoNewLine
 	)
-	[String]$ResultMarkdown = "[$Text]($Uri"
+	[String]$ResultMarkdown = "[$([System.Web.HttpUtility]::HtmlAttributeEncode($Text))]($([Uri]::EscapeUriString($Uri))"
 	If ($Title.Length -igt 0) {
-		$ResultMarkdown += " `"$Title`""
+		$ResultMarkdown += " `"$([System.Web.HttpUtility]::HtmlAttributeEncode($Title))`""
 	}
 	$ResultMarkdown += ')'
 	Return (Add-StepSummary -Value $ResultMarkdown -NoNewLine:$NoNewLine)
@@ -161,7 +161,7 @@ Function Add-StepSummarySubscriptText {
 		[Parameter(Mandatory = $True, Position = 0)][Alias('Input', 'InputObject', 'Object')][String]$Text,
 		[Switch]$NoNewLine
 	)
-	Return (Add-StepSummary -Value "<sub>$Text</sub>" -NoNewLine:$NoNewLine)
+	Return (Add-StepSummary -Value "<sub>$([System.Web.HttpUtility]::HtmlEncode($Text))</sub>" -NoNewLine:$NoNewLine)
 }
 Set-Alias -Name 'Add-StepSummarySubscript' -Value 'Add-StepSummarySubscriptText' -Option 'ReadOnly' -Scope 'Local'
 <#
@@ -181,7 +181,7 @@ Function Add-StepSummarySuperscriptText {
 		[Parameter(Mandatory = $True, Position = 0)][Alias('Input', 'InputObject', 'Object')][String]$Text,
 		[Switch]$NoNewLine
 	)
-	Return (Add-StepSummary -Value "<sup>$Text</sup>" -NoNewLine:$NoNewLine)
+	Return (Add-StepSummary -Value "<sup>$([System.Web.HttpUtility]::HtmlEncode($Text))</sup>" -NoNewLine:$NoNewLine)
 }
 Set-Alias -Name 'Add-StepSummarySuperscript' -Value 'Add-StepSummarySuperscriptText' -Option 'ReadOnly' -Scope 'Local'
 <#

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ Function Add-StepSummaryHeader {`
`50`	`50`	`[OutputType([Void])]`
`51`	`51`	`Param (`
`52`	`52`	`[Parameter(Mandatory = $True, Position = 0)][ValidateRange(1, 6)][UInt16]$Level,`
`53`		`- [Parameter(Mandatory = $True, Position = 1)][Alias('Title', 'Value')][String]$Header`
	`53`	+ [Parameter(Mandatory = $True, Position = 1)][ValidatePattern('^.+$', ErrorMessage = 'Parameter `Header` must be in single line string!')][Alias('Title', 'Value')][String]$Header
`54`	`54`	`)`
`55`	`55`	`Return (Add-StepSummary -Value "$('#' * $Level) $Header")`
`56`	`56`	`}`
`@@ -88,25 +88,25 @@ Function Add-StepSummaryImage {`
`88`	`88`	`$Width -igt -1 -or`
`89`	`89`	`$Height -igt -1`
`90`	`90`	`) {`
`91`		- [String]$ResultHtml = "<img src=`"$Uri`""
	`91`	+ [String]$ResultHtml = "<img src=`"$([Uri]::EscapeUriString($Uri))`""
`92`	`92`	`If ($Title.Length -igt 0) {`
`93`		- $ResultHtml += " title=`"$Title`""
	`93`	+ $ResultHtml += " title=`"$([System.Web.HttpUtility]::HtmlAttributeEncode($Title))`""
`94`	`94`	`}`
`95`	`95`	`If ($AlternativeText.Length -igt 0) {`
`96`		- $ResultHtml += " alt=`"$AlternativeText`""
	`96`	+ $ResultHtml += " alt=`"$([System.Web.HttpUtility]::HtmlAttributeEncode($AlternativeText))`""
`97`	`97`	`}`
`98`	`98`	`If ($Width -igt -1) {`
`99`	`99`	$ResultHtml += " width=`"$Width`""
`100`	`100`	`}`
`101`	`101`	`If ($Height -igt -1) {`
`102`	`102`	$ResultHtml += " height=`"$Height`""
`103`	`103`	`}`
`104`		`- $ResultHtml += '>'`
	`104`	`+ $ResultHtml += ' />'`
`105`	`105`	`Return (Add-StepSummary -Value $ResultHtml -NoNewLine:$NoNewLine)`
`106`	`106`	`}`
`107`		`- [String]$ResultMarkdown = "![$AlternativeText]($Uri"`
	`107`	`+ [String]$ResultMarkdown = "![$([System.Web.HttpUtility]::HtmlAttributeEncode($AlternativeText))]($([Uri]::EscapeUriString($Uri))"`
`108`	`108`	`If ($Title.Length -igt 0) {`
`109`		- $ResultMarkdown += " `"$Title`""
	`109`	+ $ResultMarkdown += " `"$([System.Web.HttpUtility]::HtmlAttributeEncode($Title))`""
`110`	`110`	`}`
`111`	`111`	`$ResultMarkdown += ')'`
`112`	`112`	`Return (Add-StepSummary -Value $ResultMarkdown -NoNewLine:$NoNewLine)`
`@@ -136,9 +136,9 @@ Function Add-StepSummaryLink {`
`136`	`136`	`[String]$Title,`
`137`	`137`	`[Switch]$NoNewLine`
`138`	`138`	`)`
`139`		`- [String]$ResultMarkdown = "[$Text]($Uri"`
	`139`	`+ [String]$ResultMarkdown = "[$([System.Web.HttpUtility]::HtmlAttributeEncode($Text))]($([Uri]::EscapeUriString($Uri))"`
`140`	`140`	`If ($Title.Length -igt 0) {`
`141`		- $ResultMarkdown += " `"$Title`""
	`141`	+ $ResultMarkdown += " `"$([System.Web.HttpUtility]::HtmlAttributeEncode($Title))`""
`142`	`142`	`}`
`143`	`143`	`$ResultMarkdown += ')'`
`144`	`144`	`Return (Add-StepSummary -Value $ResultMarkdown -NoNewLine:$NoNewLine)`
`@@ -161,7 +161,7 @@ Function Add-StepSummarySubscriptText {`
`161`	`161`	`[Parameter(Mandatory = $True, Position = 0)][Alias('Input', 'InputObject', 'Object')][String]$Text,`
`162`	`162`	`[Switch]$NoNewLine`
`163`	`163`	`)`
`164`		`- Return (Add-StepSummary -Value "<sub>$Text</sub>" -NoNewLine:$NoNewLine)`
	`164`	`+ Return (Add-StepSummary -Value "<sub>$([System.Web.HttpUtility]::HtmlEncode($Text))</sub>" -NoNewLine:$NoNewLine)`
`165`	`165`	`}`
`166`	`166`	`Set-Alias -Name 'Add-StepSummarySubscript' -Value 'Add-StepSummarySubscriptText' -Option 'ReadOnly' -Scope 'Local'`
`167`	`167`	`<#`
`@@ -181,7 +181,7 @@ Function Add-StepSummarySuperscriptText {`
`181`	`181`	`[Parameter(Mandatory = $True, Position = 0)][Alias('Input', 'InputObject', 'Object')][String]$Text,`
`182`	`182`	`[Switch]$NoNewLine`
`183`	`183`	`)`
`184`		`- Return (Add-StepSummary -Value "<sup>$Text</sup>" -NoNewLine:$NoNewLine)`
	`184`	`+ Return (Add-StepSummary -Value "<sup>$([System.Web.HttpUtility]::HtmlEncode($Text))</sup>" -NoNewLine:$NoNewLine)`
`185`	`185`	`}`
`186`	`186`	`Set-Alias -Name 'Add-StepSummarySuperscript' -Value 'Add-StepSummarySuperscriptText' -Option 'ReadOnly' -Scope 'Local'`
`187`	`187`	`<#`