HttpUtility.JavaScriptStringEncode single quote behavior does not match documentation

[ogjkoch]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

The documentation for HttpUtility.JavaScriptStringEncode states that the single quote character (') will be escaped as \'.

However, it gets escaped as \u0027.

Double quote is escaped as the documentation describes.

Expected Behavior

Expected that HttpUtility.JavaScriptStringEncode functions as documented.

Steps To Reproduce

Pass a string containing a single quote character (') to HttpUtility.JavaScriptStringEncode.

Here is a .NET fiddle displaying this behavior.

Exceptions (if any)

No response

.NET Version

8.0

Anything else?

No response

[amcasey]

Single quote is listed here, but not here. Seems like an oversight, but this file hasn't changed in years, other than to pick up perf and language improvements.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[MihaZupan]

I think the behavior here is correct, \' isn't a valid escape sequence.
The docs appear to be wrong here.

[amcasey]

I think the behavior here is correct, \' isn't a valid escape sequence. The docs appear to be wrong here.

Do you have more details on this behavior? When I type "\'" in the browser console, it outputs "'". Is that a non-compliant implementation? Naively, I would have guessed it was allowed simply because JS allows '-delimited strings.

Or maybe I've misunderstood entirely and we're talking about C# string literals?

Edit: I think this is the relevant grammar production in the ecmascript spec.

[MihaZupan]

Ah, looks like I was looking at JSON, which defines the same set except for '.
Assuming the Unicode escape sequence \u0027 would be treated the same way as \', do you think updating the docs here would be sufficient?
It seems plausible that people are using this API for JSON string escaping, and \' would break those.

[amcasey]

It seems plausible that people are using this API for JSON string escaping, and ' would break those.

While that does seem plausible, the code already escapes '. Changing that seems likely to break people using the type to escape JS strings. It may, however, be worth putting a remark in the docs about having to consider \' if you're escaping for JSON.

[MihaZupan]

Right, I'm suggesting we don't change the behavior here and update the docs instead since over-escaping is fine in JSON (and should be in JS strings as well?).

[amcasey]

My turn to get mixed up. 😆 I forgot what the current state was.

Yes, I think I'd agree that a doc update makes more sense. I kind of wish we had escaped single quote "properly" in the first place, but that ship has sailed.