JSON to be delivered in HTML must not escape ampersand (#812)

claudiamurialdo · claudiamurialdo · commit 9aba862906d9 · 2024-02-21T10:56:56.000-03:00
* JSON to be delivered in HTML must not escape ampersand, it is escaped later in HtmlEncodeInputValue. * Do not delimit encoded json at HtmlEncodeJsonValue. It is already delimited outside HtmlEncodeJsonValue use. (cherry picked from commit ba9c5eb) # Conflicts: # dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs # dotnet/test/DotNetCoreUnitTest/HttpUtils/HttpUtils.cs
diff --git a/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs b/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs
@@ -28,6 +28,7 @@
 using System.Runtime.Serialization;
 using GeneXus.Mime;
 using System.Text.RegularExpressions;
+using System.Globalization;
 
 namespace GeneXus.Http
 {
@@ -82,6 +83,8 @@ public static void SetResponseStatus(HttpContext httpContext, string statusCode,
 			HttpStatusCode httpStatusCode = MapStatusCode(statusCode);
 			SetResponseStatus(httpContext, httpStatusCode, statusDescription);
 		}
+
+
 		public static void SetResponseStatus(HttpContext httpContext, HttpStatusCode httpStatusCode, string statusDescription)
 		{
 #if !NETCORE
@@ -339,6 +342,82 @@ public static string[] GetParameterValues(string query)
 				return query.Split(',');
 			}
 		}
+		internal static string HtmlEncodeJsonValue(string value)
+		{
+			return GXUtil.HtmlEncodeInputValue(JsonQuote(value));
+		}
+
+		static void AppendCharAsUnicodeJavaScript(StringBuilder builder, char c)
+		{
+			builder.Append("\\u");
+			int num = c;
+			builder.Append(num.ToString("x4", CultureInfo.InvariantCulture));
+		}
+		/**
+		 * Produce a string in double quotes with backslash sequences in all the
+		 * right places. A backslash will be inserted within </, allowing JSON
+		 * text to be delivered in HTML. In JSON text, a string cannot contain a
+		 * control character or an unescaped quote or backslash.
+		 * */
+		internal static string JsonQuote(string value, bool addDoubleQuotes=false)
+		{
+			string text = string.Empty;
+			if (!string.IsNullOrEmpty(value))
+			{
+				int i;
+				int len = value.Length;
+				StringBuilder sb = new StringBuilder(len + 4);
+
+				for (i = 0; i < len; i += 1)
+				{
+					char c = value[i];
+					switch (c)
+					{
+						case '\\':
+						case '"':
+							sb.Append('\\');
+							sb.Append(c);
+							break;
+						case '\b':
+							sb.Append("\\b");
+							break;
+						case '\t':
+							sb.Append("\\t");
+							break;
+						case '\n':
+							sb.Append("\\n");
+							break;
+						case '\f':
+							sb.Append("\\f");
+							break;
+						case '\r':
+							sb.Append("\\r");
+							break;
+						default:
+							{
+								if (c < ' ')
+								{
+									AppendCharAsUnicodeJavaScript(sb, c);
+								}
+								else
+								{
+									sb.Append(c);
+								}
+							}
+							break;
+					}
+				}
+				text = sb.ToString();
+			}
+			if (!addDoubleQuotes)
+			{
+				return text;
+			}
+			else
+			{
+				return "\"" + text + "\"";
+			}
+		}
 
 	}
 #if NETCORE
@@ -467,7 +546,7 @@ public static void AddHeader(this HttpResponse response, string name, string val
 
 		public static void Write(this HttpResponse response, string value)
 		{
-			//response.WriteAsync(value).Wait();
+			//response.WriteAsync(value).Wait();//Unsupported by GxHttpAzureResponse
 			response.Body.Write(Encoding.UTF8.GetBytes(value));
 		}
 		public static void WriteFile(this HttpResponse response, string fileName)
diff --git a/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs b/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs
@@ -1522,7 +1522,7 @@ protected void SendState()
 				context.httpAjaxContext.AddStylesHidden();
 				if (IsSpaRequest())
 				{
-					context.WriteHtmlTextNl("<script>gx.ajax.saveJsonResponse('" + GXUtil.HtmlEncodeInputValue(HttpUtility.JavaScriptStringEncode(context.getJSONResponse())) + "');</script>");
+					context.WriteHtmlTextNl("<script>gx.ajax.saveJsonResponse('" + HttpHelper.HtmlEncodeJsonValue(context.getJSONResponse()) + "');</script>");
 				}
 				else
 				{
diff --git a/dotnet/test/DotNetCoreUnitTest/HttpUtils/HttpUtils.cs b/dotnet/test/DotNetCoreUnitTest/HttpUtils/HttpUtils.cs
@@ -0,0 +1,25 @@
+using System;
+using System.Web;
+using GeneXus.Application;
+using GeneXus.Http;
+using GeneXus.Utils;
+using Xunit;
+
+namespace DotNetCoreUnitTest.HttpUtils
+{
+	public class TestHttpUtils
+	{
+
+		[Fact]
+		public void TestDoNotDoubleEncodeAmpersand()
+		{
+			string state = "{\"gxProps\":[\"FORM\":{\"Class\":\"form-horizontal Form\"}}], \"gxHiddens\":{\"gxhash_vA\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\"," +
+				"\"hsh\":\"C/CAcgMV0JZC/+o3ikT+R2Hhb1LcQ==\",\"Z3c\":\"&#039;\"}]}}";
+
+			string jsonEncoded = HttpHelper.HtmlEncodeJsonValue(state);
+			Assert.Contains("&amp;", jsonEncoded, StringComparison.OrdinalIgnoreCase);
+			Assert.StartsWith("{", jsonEncoded, StringComparison.OrdinalIgnoreCase);
+		}
+
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -1522,7 +1522,7 @@ protected void SendState()`
`1522`	`1522`	`context.httpAjaxContext.AddStylesHidden();`
`1523`	`1523`	`if (IsSpaRequest())`
`1524`	`1524`	`{`
`1525`		`- context.WriteHtmlTextNl("<script>gx.ajax.saveJsonResponse('" + GXUtil.HtmlEncodeInputValue(HttpUtility.JavaScriptStringEncode(context.getJSONResponse())) + "');</script>");`
	`1525`	`+ context.WriteHtmlTextNl("<script>gx.ajax.saveJsonResponse('" + HttpHelper.HtmlEncodeJsonValue(context.getJSONResponse()) + "');</script>");`
`1526`	`1526`	`}`
`1527`	`1527`	`else`
`1528`	`1528`	`{`