aspnetcore: Razor compiler produces incorrect markup content for single-quoted attributes

Repro: Create a .razor file containing:

<button onclick='alert("hello")'>Click me</button>

Compiled result:

__builder.AddMarkupContent(0, "<button onclick=\"alert(\"hello\")\">Click me</button>");

This is incorrect because the double-quotes inside the attribute haven’t been encoded in any way. At runtime, clicking on the button will produce an error (SyntaxError: Unexpected end of input).

Expected result: Something like

__builder.AddMarkupContent(0, "<button onclick=\"alert(&quot;hello&quot;)\">Click me</button>");

Or even:

__builder.AddMarkupContent(0, "<button onclick='alert(\"hello\")'>Click me</button>");

Do we claim to support single-quoted attributes fully in Razor?

cc @ajaybhargavb @NTaylorMullen

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

You mean that if in example json is injected in the html the problem is not there?

Not sure what you mean by that. I was specifically addressing the concern raised above (“many third party html controls also inject html attributes and elements via javascript.”) and saying that’s not relevant to the issue here since JavaScript happens at runtime, so the Razor compiler couldn’t see anything it’s doing anyway. The Razor compiler only runs at compile-time.

+1
SteveSandersonMS on Apr 23, 2021
Read more comments on GitHub
← aspnetcore: Random: The antiforgery token could not be decrypted.
aspnetcore: Razor crashes on project open causing intellisense to not function →