`@Html.Id()` implementation does not usefully sanitize return value, breaking JavaScript / CSS selectors

[dougbu]

We generate "sanitized" identifiers in most HTML helpers, substituting '_' for invalid characters. This is done for id attributes in input helpers, the for attribute in a label generated element, and so on. However it's not done for @Html.Id(), @Html.IdFor(), or @Html.IdForModel(). The current implementation of those methods match their @Html.Name() (and so on) equivalents.

Side note: Only whitespace characters are considered invalid now. But MVC 5.2 considers all but alphanumerics and a few special characters invalid. The limited number of invalid characters reduces the impact of this bug but there's still an impact. May also want to double-check what should be invalid and whether there's a reason to break compatibility with MVC 5.2 here.

[dougbu]

Actually two separate issues here:

1. @Html.Id() does not call TagBuilder.CreateSanitizedId() on the returned value and therefore does not replace invalid characters, no matter what the current HTML prefix or expression name may be. That is, currently @Html.Id() and @Html.Name() never return different values.
2. TagBuilder.CreateSanitizedId() is used correctly when adding a default "id" attribute to an HTML element. But it does not escape dots or other characters, confusing even simple jQuery use of CSS validators.

Bottom line the @Html.Id() value currently returned will often contain characters matching [][.#*, >+~=|^$:], all of which could be confused with CSS selector separators. This not only breaks compatibility with MVC 5.2 but greatly reduces the utility of this method. Cleaning up just whitespace doesn't make the default "id" attribute values much more useful.

[dougbu]

Currently @Html.Id() returns same value as @Html.Name(). As mentioned above, this value can include characters that can be confused with CSS selector separators. That breaks JavaScript we and our users may write.

[dougbu]

As part of correcting the second part of this bug, should address issue discussed in MVC 5.2 bug 2124. In particular should handle case where first character is invalid or at least the narrower case where first character is an open square bracket.