JSON to be delivered in HTML must not escape ampersand, it is escaped later in HtmlEncodeInputValue.

Author: claudiamurialdo

dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs

@@ -27,7 +27,7 @@
 using System.Text.RegularExpressions;
 using Microsoft.Net.Http.Headers;
 using System.Net.Http;
-using System.Linq;
+using System.Globalization;
 
 namespace GeneXus.Http
 {
@@ -451,6 +451,82 @@ internal static void AllowHeader(HttpContext httpContext, List<string> methods)
 		{
 			httpContext.Response.AppendHeader(HeaderNames.Allow, string.Join(",", methods));
 		}
+		internal static string HtmlEncodeJsonValue(string value)
+		{
+			return GXUtil.HtmlEncodeInputValue(JsonQuote(value));
+		}
+
+		static void AppendCharAsUnicodeJavaScript(StringBuilder builder, char c)
+		{
+			builder.Append("\\u");
+			int num = c;
+			builder.Append(num.ToString("x4", CultureInfo.InvariantCulture));
+		}
+		/**
+		 * Produce a string in double quotes with backslash sequences in all the
+		 * right places. A backslash will be inserted within </, allowing JSON
+		 * text to be delivered in HTML. In JSON text, a string cannot contain a
+		 * control character or an unescaped quote or backslash.
+		 * */
+		internal static string JsonQuote(string value)
+		{
+
+			if (value == null || value.Length == 0)
+			{
+				return "\"\"";
+			}
+
+			char b;
+			char c = (char)0;
+			int i;
+			int len = value.Length;
+			StringBuilder sb = new StringBuilder(len + 4);
+
+			sb.Append('"');
+			for (i = 0; i < len; i += 1)
+			{
+				b = c;
+				c = value[i];
+				switch (c)
+				{
+					case '\\':
+					case '"':
+						sb.Append('\\');
+						sb.Append(c);
+						break;
+					case '\b':
+						sb.Append("\\b");
+						break;
+					case '\t':
+						sb.Append("\\t");
+						break;
+					case '\n':
+						sb.Append("\\n");
+						break;
+					case '\f':
+						sb.Append("\\f");
+						break;
+					case '\r':
+						sb.Append("\\r");
+						break;
+					default:
+						{
+							if (c < ' ')
+							{
+								AppendCharAsUnicodeJavaScript(sb, c);
+							}
+							else
+							{
+								sb.Append(c);
+							}
+						}
+						break;
+				}
+			}
+			sb.Append('"');
+			return sb.ToString();
+		}
+
 	}
 #if NETCORE
 	public class HttpCookieCollection : Dictionary<string, HttpCookie>

dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs

@@ -1585,7 +1585,7 @@ protected void SendState()
 				context.httpAjaxContext.AddStylesHidden();
 				if (IsSpaRequest())
 				{
-					context.WriteHtmlTextNl("<script>gx.ajax.saveJsonResponse('" + GXUtil.HtmlEncodeInputValue(HttpUtility.JavaScriptStringEncode(context.getJSONResponse())) + "');</script>");
+					context.WriteHtmlTextNl("<script>gx.ajax.saveJsonResponse('" + HttpHelper.HtmlEncodeJsonValue(context.getJSONResponse()) + "');</script>");
 				}
 				else
 				{

dotnet/test/DotNetCoreUnitTest/HttpUtils/HttpUtils.cs

@@ -1,5 +1,7 @@
 using System;
+using System.Web;
 using GeneXus.Application;
+using GeneXus.Http;
 using GeneXus.Utils;
 using Xunit;
 
@@ -62,5 +64,16 @@ private static void DoTest(string contentDisposition, string expectedContentDisp
 
 			Assert.Equal(expectedContentDisposition, encodedValue);
 		}
+
+		[Fact]
+		public void TestDoNotDoubleEncodeAmpersand()
+		{
+			string state = "{\"gxProps\":[\"FORM\":{\"Class\":\"form-horizontal Form\"}}], \"gxHiddens\":{\"gxhash_vA\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\"," +
+				"\"hsh\":\"C/CAcgMV0JZC/+o3ikT+R2Hhb1LcQ==\",\"Z3c\":\"'\"}]}}";
+
+			string jsonEncoded = HttpHelper.HtmlEncodeJsonValue(state);
+			Assert.Contains("&", jsonEncoded, StringComparison.OrdinalIgnoreCase);
+		}
+
 	}
 }