HtmlEditorExtender - Sanitizer encodes an ampersand twice

[Edminsson]

A created a test for an issue a have with multiple parameters on a querystring.
The ampersand that separates the parameters does not get properly encoded.

public void QueryStringMultipleParameters()
{
    // Arrange
    DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
    Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();

    // Act
    string htmlFragment = "<a href=\"http://www.codeplex.com?a=1&b=2\"></a>";
    string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);

    // Assert
    string expected = "<a href=\"http &#x3A;&#x2F;&#x2F;www&#x2E;codeplex&#x2E;com&#x3F;a&#x3D;1&#x26;b&#x3D;2\"></a>";
    StringAssert.AreEqualIgnoringCase(expected, actual);
}

[MikhailTymchukDX]

Hi @Edminsson ,

This is expected result. Let's see what happens inside the DefaultSanitizer.

The sample text you provided can be simplified to "<a href=\"&\"></a>".
The Sanitizer cleans an attribute value with the CleanAttributeValue method.

There are 2 encoding actions at the end of the method:

• attribute.Value = HttpUtility.HtmlEncode(attribute.Value); that encodes the whole value of the attribute
• call for EncodeCharacterToHtmlEntityEscape(c) that encodes HTML Entities inside a previously HTML encoded string

The first encode action converts "&" into the "&" string.
The second action encodes the first and the last characters, which are both HTML Entities.

So, "&" turns into "&" + "amp" + "&#x3B" (I've split up the string for easy reading).

[Edminsson]

Hi @MikhailTymchukDX
If I take the result from GetSafeHtmlFragment and put it directly on a page and then click on this link then it makes a request to http://www.codeplex.com/?a=1&b=2 which does not work as intended.