Skip to content
This repository has been archived by the owner on Dec 14, 2018. It is now read-only.

IViewLocalizer not encoding HTML special characters #8225

Closed
FranklinWhale opened this issue Aug 7, 2018 · 6 comments
Closed

IViewLocalizer not encoding HTML special characters #8225

FranklinWhale opened this issue Aug 7, 2018 · 6 comments

Comments

@FranklinWhale
Copy link

FranklinWhale commented Aug 7, 2018
edited
Loading

Using ASP.NET Core 2.1.302,

When a value in a resource file contains special characters (<, >, &, " and ') and is used in a Razor page through an IViewLocalizer, it is printed to the HTML output directly without any encoding. However, when it is wrapped by Html.Encode, the value is double encoded.

Steps to reproduce:

  1. Create a resx file that contains the following data:
<data name="TestContent" xml:space="preserve">
	<value>This is a test site &lt;"&amp;'&gt;</value>
</data>
  1. Create a Razor page with an IViewLocalizer injected
  2. In the Razor page, add the following tag:
<p>@Localizer["TestContent"]</p>
  1. Verify whether the content of the p element in the HTML source is encoded.
@pranavkm
Copy link
Contributor

pranavkm commented Aug 7, 2018

That's intentional. See the docs - https://docs.microsoft.com/en-us/aspnet/core/fundamentals/localization?view=aspnetcore-2.1#make-the-apps-content-localizable - if you want specific items to be encoded, you can use a formatted string and pass them to the localizer as a format argument.

@FranklinWhale
Copy link
Author

Thanks for the information.

I didn't expect that the encoding behaviors of the localizers are different from those for Model and ViewData. As the document said, "You generally want to only localize text and not HTML.", and text should be always encoded.

Is it possible to have a localizer that encodes all returned values without using format argument?

@FranklinWhale FranklinWhale changed the title IHtmlLocalizer and IViewLocalizer not encoding HTML special characters IViewLocalizer not encoding HTML special characters Aug 7, 2018
@FranklinWhale
Copy link
Author

Changed the issue title as this issue affects IViewLocalizeronly. Being the localizer for Razor pages, there should be an option to enable HTML encoding for all values.

@FranklinWhale
Copy link
Author

Found a workaround (or the solution):

Instead of using the item property, use the GetString extension method.

That is to change

<p>@Localizer["TestContent"]</p>

to

<p>@Localizer.GetString("TestContent")</p>

@pranavkm Do you think that the GetString method should be mentioned at https://docs.microsoft.com/en-us/aspnet/core/fundamentals/localization?view=aspnetcore-2.1#make-the-apps-content-localizable?

@pranavkm
Copy link
Contributor

pranavkm commented Aug 8, 2018

Do you think that the GetString method should be mentioned

Sure. If it unblocks your scenario, might be worth adding it to the docs. I'd possibly mention the risk of double encoding if the original value happened to be already encoded.

@FranklinWhale FranklinWhale mentioned this issue Aug 8, 2018
Closed
@mkArtakMSFT
Copy link
Member

Thanks folks. Closing this as there is no action pending here.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pranavkm @FranklinWhale @mkArtakMSFT