HtmlAnchor.HRef is not html attribute encoded causing XSS issues.

[ToreOlavKristiansen]

HtmlAnchor.RenderAttributes renders the HRef attribute by calling HtmlControl.PreProcessRelativeReferenceAttribute. This method renders the attribute without html attribute encoding and removes it from the Attributes collection. All the other attributes of HtmlAnchor are rendered with html attribute encoding making HRef the only attribute that is XSS unsafe.

This is quite a gotcha that should be addressed at least by improving the documentation.

referencesource/System.Web/UI/HtmlControls/HtmlControl.cs

Line 253 in f7df9e2

internal void PreProcessRelativeReferenceAttribute(HtmlTextWriter writer,