JSON to be delivered in HTML must not escape ampersand (#812)

claudiamurialdo · claudiamurialdo · commit a7a9f5f92758 · 2023-05-17T15:41:07.000-03:00
* JSON to be delivered in HTML must not escape ampersand, it is escaped later in HtmlEncodeInputValue. * Do not delimit encoded json at HtmlEncodeJsonValue. It is already delimited outside HtmlEncodeJsonValue use. (cherry picked from commit ba9c5eb)
diff --git a/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs b/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs
@@ -25,6 +25,7 @@
 using System.Runtime.Serialization;
 using GeneXus.Mime;
 using System.Text.RegularExpressions;
+using System.Globalization;
 
 namespace GeneXus.Http
 {
@@ -349,6 +350,82 @@ public static string[] GetParameterValues(string query)
 				return query.Split(',');
 			}
 		}
+		internal static string HtmlEncodeJsonValue(string value)
+		{
+			return GXUtil.HtmlEncodeInputValue(JsonQuote(value));
+		}
+
+		static void AppendCharAsUnicodeJavaScript(StringBuilder builder, char c)
+		{
+			builder.Append("\\u");
+			int num = c;
+			builder.Append(num.ToString("x4", CultureInfo.InvariantCulture));
+		}
+		/**
+		 * Produce a string in double quotes with backslash sequences in all the
+		 * right places. A backslash will be inserted within </, allowing JSON
+		 * text to be delivered in HTML. In JSON text, a string cannot contain a
+		 * control character or an unescaped quote or backslash.
+		 * */
+		internal static string JsonQuote(string value, bool addDoubleQuotes=false)
+		{
+			string text = string.Empty;
+			if (!string.IsNullOrEmpty(value))
+			{
+				int i;
+				int len = value.Length;
+				StringBuilder sb = new StringBuilder(len + 4);
+
+				for (i = 0; i < len; i += 1)
+				{
+					char c = value[i];
+					switch (c)
+					{
+						case '\\':
+						case '"':
+							sb.Append('\\');
+							sb.Append(c);
+							break;
+						case '\b':
+							sb.Append("\\b");
+							break;
+						case '\t':
+							sb.Append("\\t");
+							break;
+						case '\n':
+							sb.Append("\\n");
+							break;
+						case '\f':
+							sb.Append("\\f");
+							break;
+						case '\r':
+							sb.Append("\\r");
+							break;
+						default:
+							{
+								if (c < ' ')
+								{
+									AppendCharAsUnicodeJavaScript(sb, c);
+								}
+								else
+								{
+									sb.Append(c);
+								}
+							}
+							break;
+					}
+				}
+				text = sb.ToString();
+			}
+			if (!addDoubleQuotes)
+			{
+				return text;
+			}
+			else
+			{
+				return "\"" + text + "\"";
+			}
+		}
 
 	}
 #if NETCORE
diff --git a/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs b/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs
@@ -1548,7 +1548,7 @@ protected void SendState()
 				context.httpAjaxContext.AddStylesHidden();
 				if (IsSpaRequest())
 				{
-					context.WriteHtmlTextNl("<script>gx.ajax.saveJsonResponse('" + GXUtil.HtmlEncodeInputValue(HttpUtility.JavaScriptStringEncode(context.getJSONResponse())) + "');</script>");
+					context.WriteHtmlTextNl("<script>gx.ajax.saveJsonResponse('" + HttpHelper.HtmlEncodeJsonValue(context.getJSONResponse()) + "');</script>");
 				}
 				else
 				{

Original file line number	Diff line number	Diff line change
`@@ -1548,7 +1548,7 @@ protected void SendState()`
`1548`	`1548`	`context.httpAjaxContext.AddStylesHidden();`
`1549`	`1549`	`if (IsSpaRequest())`
`1550`	`1550`	`{`
`1551`		`- context.WriteHtmlTextNl("<script>gx.ajax.saveJsonResponse('" + GXUtil.HtmlEncodeInputValue(HttpUtility.JavaScriptStringEncode(context.getJSONResponse())) + "');</script>");`
	`1551`	`+ context.WriteHtmlTextNl("<script>gx.ajax.saveJsonResponse('" + HttpHelper.HtmlEncodeJsonValue(context.getJSONResponse()) + "');</script>");`
`1552`	`1552`	`}`
`1553`	`1553`	`else`
`1554`	`1554`	`{`