ResetPassword code should be HtmlDecoded

[westonsoftware]

An "invalid token" message is displayed periodically on the ResetPassword page after using the ForgotPassword page to send the user an email, and clicking on that link.

https://github.com/aspnet/AspNetCore/blob/bfec2c14be1e65f7dd361a43950d4c848ad0cd35/src/Identity/UI/src/Areas/Identity/Pages/V3/Account/ResetPassword.cshtml.cs#L120

I believe the fix should be to decode the code like this ...

var decoded = System.Web.HttpUtility.HtmlDecode(Input.Code);
var result = await _userManager.ResetPasswordAsync(user, decoded, Input.Password);

I would do a PR for this but I have never contributed before and I thought someone could squeeze this in.
Thanks
--Andy

[westonsoftware]

Note that the code is encoded here in ForgotPassword ...
https://github.com/aspnet/AspNetCore/blob/bfec2c14be1e65f7dd361a43950d4c848ad0cd35/src/Identity/UI/src/Areas/Identity/Pages/V3/Account/ForgotPassword.cshtml.cs#L87

[blowdart]

I know you say it's intermittent, but do you happen to have an example of such a code?

[westonsoftware]

Yes, I should have mentioned, keep trying it until your code has a '+' in it, that was happening to me consistently for a while.

[westonsoftware]

The chars are defined here ...
https://github.com/dotnet/corefx/blob/4636de3b8595ad10eaebf00cbeed715684e7fd1b/src/System.Text.Encodings.Web/src/System/Text/Encodings/Web/HtmlEncoder.cs#L76

[blowdart]

Ah, that would explain it :) + decodes different in forms than in URIs.

@HaoK we have a hint :)

[HaoK]

Didn't notice this one since it wasn't assigned to me, will fix it in preview 8