@Html.Id() implementation does not usefully sanitize return value, breaking JavaScript / CSS selectors
#704
Comments
|
Actually two separate issues here:
Bottom line the |
|
Currently |
dougbu
changed the title
@Html.Id() implementation should not return same value as @Html.Name()@Html.Id() implementation does not usefully sanitize return value, breaking JavaScript / CSS selectors
|
As part of correcting the second part of this bug, should address issue discussed in MVC 5.2 bug 2124. In particular should handle case where first character is invalid or at least the narrower case where first character is an open square bracket. |
- #704 part 1 of 2 - doesn't help tag builders unless done in `DefaultHtmlGenerator`
- #704 part 2 of 2 - change `@Html.Id()` to sanitize return value; was identical to `@Html.Name()` Copied `TagBuilder.CreateSanitizedId()` and `TagBuilder.Html401IdUtil` from MVC 5.2 - except this `CreateSanitizedId()` returns a valid identifier if first `char` is not a letter - e.g. "[0].Name" nits: - expand variable names, use lots of `var`, put `public` members first - add doc comments for `CreateSanitizedId()` Note users will be able to apply different sanitization once we fix #1188.
We generate "sanitized" identifiers in most HTML helpers, substituting
'_'for invalid characters. This is done foridattributes in input helpers, theforattribute in a label generated element, and so on. However it's not done for@Html.Id(),@Html.IdFor(), or@Html.IdForModel(). The current implementation of those methods match their@Html.Name()(and so on) equivalents.Side note: Only whitespace characters are considered invalid now. But MVC 5.2 considers all but alphanumerics and a few special characters invalid. The limited number of invalid characters reduces the impact of this bug but there's still an impact. May also want to double-check what should be invalid and whether there's a reason to break compatibility with MVC 5.2 here.
The text was updated successfully, but these errors were encountered: