Dotnet-Boxed · RehanSaeed · Oct 28, 2019 · Oct 25, 2019 · Oct 25, 2019
diff --git a/Source/Boxed.AspNetCore.TagHelpers/HrefSubresourceIntegrityTagHelper.cs b/Source/Boxed.AspNetCore.TagHelpers/HrefSubresourceIntegrityTagHelper.cs
@@ -1,5 +1,6 @@
 namespace Boxed.AspNetCore.TagHelpers
 {
+    using System.Text.Encodings.Web;
     using Microsoft.AspNetCore.Hosting;
     using Microsoft.AspNetCore.Mvc;
     using Microsoft.AspNetCore.Mvc.Infrastructure;
@@ -21,12 +22,14 @@ public class HrefSubresourceIntegrityTagHelper : SubresourceIntegrityTagHelper
         /// <param name="hostingEnvironment">The hosting environment.</param>
         /// <param name="actionContextAccessor">The MVC action context accessor.</param>
         /// <param name="urlHelperFactory">The URL helper factory.</param>
+        /// <param name="htmlEncoder">The <see cref="HtmlEncoder"/>.</param>
         public HrefSubresourceIntegrityTagHelper(
             IDistributedCache distributedCache,
             IHostingEnvironment hostingEnvironment,
             IActionContextAccessor actionContextAccessor,
-            IUrlHelperFactory urlHelperFactory)
-            : base(distributedCache, hostingEnvironment, actionContextAccessor, urlHelperFactory)
+            IUrlHelperFactory urlHelperFactory,
+            HtmlEncoder htmlEncoder)
+            : base(distributedCache, hostingEnvironment, actionContextAccessor, urlHelperFactory, htmlEncoder)
         {
         }
 

diff --git a/Source/Boxed.AspNetCore.TagHelpers/SrcSubresourceIntegrityTagHelper.cs b/Source/Boxed.AspNetCore.TagHelpers/SrcSubresourceIntegrityTagHelper.cs
@@ -1,5 +1,6 @@
 namespace Boxed.AspNetCore.TagHelpers
 {
+    using System.Text.Encodings.Web;
     using Microsoft.AspNetCore.Hosting;
     using Microsoft.AspNetCore.Mvc;
     using Microsoft.AspNetCore.Mvc.Infrastructure;
@@ -21,12 +22,14 @@ public class SrcSubresourceIntegrityTagHelper : SubresourceIntegrityTagHelper
         /// <param name="hostingEnvironment">The hosting environment.</param>
         /// <param name="actionContextAccessor">The MVC action context accessor.</param>
         /// <param name="urlHelperFactory">The URL helper factory.</param>
+        /// <param name="htmlEncoder">The <see cref="HtmlEncoder"/>.</param>
         public SrcSubresourceIntegrityTagHelper(
             IDistributedCache distributedCache,
             IHostingEnvironment hostingEnvironment,
             IActionContextAccessor actionContextAccessor,
-            IUrlHelperFactory urlHelperFactory)
-            : base(distributedCache, hostingEnvironment, actionContextAccessor, urlHelperFactory)
+            IUrlHelperFactory urlHelperFactory,
+            HtmlEncoder htmlEncoder)
+            : base(distributedCache, hostingEnvironment, actionContextAccessor, urlHelperFactory, htmlEncoder)
         {
         }
 

diff --git a/Source/Boxed.AspNetCore.TagHelpers/SubresourceIntegrityTagHelper.cs b/Source/Boxed.AspNetCore.TagHelpers/SubresourceIntegrityTagHelper.cs
@@ -5,6 +5,7 @@ namespace Boxed.AspNetCore.TagHelpers
     using System.IO;
     using System.Security.Cryptography;
     using System.Text;
+    using System.Text.Encodings.Web;
     using System.Threading.Tasks;
     using Microsoft.AspNetCore.Hosting;
     using Microsoft.AspNetCore.Html;
@@ -32,6 +33,7 @@ public abstract class SubresourceIntegrityTagHelper : TagHelper
         private readonly IDistributedCache distributedCache;
         private readonly IHostingEnvironment hostingEnvironment;
         private readonly IUrlHelper urlHelper;
+        private readonly HtmlEncoder htmlEncoder;
 
         /// <summary>
         /// Initializes a new instance of the <see cref="SubresourceIntegrityTagHelper"/> class.
@@ -40,14 +42,17 @@ public abstract class SubresourceIntegrityTagHelper : TagHelper
         /// <param name="hostingEnvironment">The hosting environment.</param>
         /// <param name="actionContextAccessor">The MVC action context accessor.</param>
         /// <param name="urlHelperFactory">The URL helper factory.</param>
+        /// <param name="htmlEncoder">The <see cref="HtmlEncoder"/>.</param>
         public SubresourceIntegrityTagHelper(
             IDistributedCache distributedCache,
             IHostingEnvironment hostingEnvironment,
             IActionContextAccessor actionContextAccessor,
-            IUrlHelperFactory urlHelperFactory)
+            IUrlHelperFactory urlHelperFactory,
+            HtmlEncoder htmlEncoder)
         {
             this.distributedCache = distributedCache ?? throw new ArgumentNullException(nameof(distributedCache));
             this.hostingEnvironment = hostingEnvironment ?? throw new ArgumentNullException(nameof(hostingEnvironment));
+            this.htmlEncoder = htmlEncoder ?? throw new ArgumentNullException(nameof(htmlEncoder));
 
             if (actionContextAccessor == null)
             {
@@ -105,7 +110,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
                 throw new ArgumentNullException(nameof(output));
             }
 
-            var url = output.Attributes[this.UrlAttributeName].Value.ToString();
+            var url = this.GetEncodedStringValue(output.Attributes[this.UrlAttributeName].Value);
 
             if (!string.IsNullOrWhiteSpace(url) && !string.IsNullOrWhiteSpace(this.Source))
             {
@@ -245,5 +250,37 @@ private Task SetCachedSriAsync(string url, string value)
             var bytes = this.ReadAllBytes(filePath);
             return GetSpaceDelimetedSri(bytes, hashAlgorithms);
         }
+
+        private string GetEncodedStringValue(object attributeValue)
+        {
+            if (attributeValue is string stringValue)
+            {
+                var encodedStringValue = this.htmlEncoder.Encode(stringValue);
+                return encodedStringValue;
+            }
+            else
+            {
+                if (attributeValue is IHtmlContent htmlContent)
+                {
+                    if (htmlContent is HtmlString htmlString)
+                    {
+                        // No need for a StringWriter in this case.
+                        stringValue = htmlString.ToString();
+                    }
+                    else
+                    {
+                        using (var writer = new StringWriter())
+                        {
+                            htmlContent.WriteTo(writer, this.htmlEncoder);
+                            stringValue = writer.ToString();
+                        }
+                    }
+
+                    return stringValue;
+                }
+            }
+
+            return attributeValue.ToString();
+        }
     }
 }
diff --git a/Tests/Boxed.AspNetCore.TagHelpers.Test/SubresourceIntegrityTagHelperTest.cs b/Tests/Boxed.AspNetCore.TagHelpers.Test/SubresourceIntegrityTagHelperTest.cs
@@ -3,6 +3,7 @@ namespace Boxed.AspNetCore.TagHelpers.Test
     using System;
     using System.Collections.Generic;
     using System.Text;
+    using System.Text.Encodings.Web;
     using System.Threading;
     using System.Threading.Tasks;
     using Microsoft.AspNetCore.Hosting;
@@ -23,6 +24,7 @@ public class SubresourceIntegrityTagHelperTest
         private readonly Mock<IUrlHelperFactory> urlHelperFactoryMock;
         private readonly Mock<IUrlHelper> urlHelperMock;
         private readonly SubresourceIntegrityTagHelper tagHelper;
+        private readonly Mock<HtmlEncoder> htmlEncoderMock;
 
         public SubresourceIntegrityTagHelperTest()
         {
@@ -31,15 +33,18 @@ public SubresourceIntegrityTagHelperTest()
             this.actionContextAccessor = new Mock<IActionContextAccessor>(MockBehavior.Strict);
             this.urlHelperFactoryMock = new Mock<IUrlHelperFactory>(MockBehavior.Strict);
             this.urlHelperMock = new Mock<IUrlHelper>(MockBehavior.Strict);
+            this.htmlEncoderMock = new Mock<HtmlEncoder>(MockBehavior.Strict);
 
             this.actionContextAccessor.SetupGet(x => x.ActionContext).Returns((ActionContext)null);
             this.urlHelperFactoryMock.Setup(x => x.GetUrlHelper(this.actionContextAccessor.Object.ActionContext)).Returns(this.urlHelperMock.Object);
+            this.htmlEncoderMock.Setup(x => x.Encode(It.IsAny<string>())).Returns((string s) => s);
 
             this.tagHelper = new TestSubresourceIntegrityTagHelper(
                 this.distributedCacheMock.Object,
                 this.hostingEnvironmentMock.Object,
                 this.actionContextAccessor.Object,
-                this.urlHelperFactoryMock.Object);
+                this.urlHelperFactoryMock.Object,
+                this.htmlEncoderMock.Object);
         }
 
         [Fact]
@@ -143,8 +148,9 @@ public class TestSubresourceIntegrityTagHelper : SubresourceIntegrityTagHelper
                 IDistributedCache distributedCache,
                 IHostingEnvironment hostingEnvironment,
                 IActionContextAccessor actionContextAccessor,
-                IUrlHelperFactory urlHelperFactory)
-                : base(distributedCache, hostingEnvironment, actionContextAccessor, urlHelperFactory)
+                IUrlHelperFactory urlHelperFactory,
+                HtmlEncoder htmlEncoder)
+                : base(distributedCache, hostingEnvironment, actionContextAccessor, urlHelperFactory, htmlEncoder)
             {
             }