From 8a8e98e1b2d744d2cec2071716de42291c827554 Mon Sep 17 00:00:00 2001
From: Artak <34246760+mkArtakMSFT@users.noreply.github.com>
Date: Tue, 10 Sep 2019 14:30:52 -0700
Subject: [PATCH] Fix encoding used in JS generated by prerenderer (#13865)

---
 .../src/Prerendering/RenderToStringResult.cs  | 11 ++-
 ...rosoft.AspNetCore.SpaServices.Tests.csproj | 11 +++
 .../test/RenderToStringResultTests.cs         | 71 +++++++++++++++++++
 3 files changed, 90 insertions(+), 3 deletions(-)
 create mode 100644 src/Middleware/SpaServices/test/Microsoft.AspNetCore.SpaServices.Tests.csproj
 create mode 100644 src/Middleware/SpaServices/test/RenderToStringResultTests.cs

diff --git a/src/Middleware/SpaServices/src/Prerendering/RenderToStringResult.cs b/src/Middleware/SpaServices/src/Prerendering/RenderToStringResult.cs
index f6f5d77911..ce37c54fed 100644
--- a/src/Middleware/SpaServices/src/Prerendering/RenderToStringResult.cs
+++ b/src/Middleware/SpaServices/src/Prerendering/RenderToStringResult.cs
@@ -5,6 +5,7 @@ using System;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using System.Text;
+using System.Text.Encodings.Web;
 
 namespace Microsoft.AspNetCore.SpaServices.Prerendering
 {
@@ -54,9 +55,13 @@ namespace Microsoft.AspNetCore.SpaServices.Prerendering
 
             foreach (var property in Globals.Properties())
             {
-                stringBuilder.AppendFormat("window.{0} = {1};",
-                    property.Name,
-                    property.Value.ToString(Formatting.None));
+                var propertyNameJavaScriptString = JavaScriptEncoder.Default.Encode(property.Name);
+                var valueJson = property.Value.ToString(Formatting.None);
+                var valueJsonJavaScriptString = JavaScriptEncoder.Default.Encode(valueJson);
+
+                stringBuilder.AppendFormat("window[\"{0}\"] = JSON.parse(\"{1}\");",
+                    propertyNameJavaScriptString,
+                    valueJsonJavaScriptString);
             }
 
             return stringBuilder.ToString();
diff --git a/src/Middleware/SpaServices/test/Microsoft.AspNetCore.SpaServices.Tests.csproj b/src/Middleware/SpaServices/test/Microsoft.AspNetCore.SpaServices.Tests.csproj
new file mode 100644
index 0000000000..0d18e4e2a0
--- /dev/null
+++ b/src/Middleware/SpaServices/test/Microsoft.AspNetCore.SpaServices.Tests.csproj
@@ -0,0 +1,11 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp3.0</TargetFrameworks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore.SpaServices" />
+  </ItemGroup>
+
+</Project>
diff --git a/src/Middleware/SpaServices/test/RenderToStringResultTests.cs b/src/Middleware/SpaServices/test/RenderToStringResultTests.cs
new file mode 100644
index 0000000000..e87312d211
--- /dev/null
+++ b/src/Middleware/SpaServices/test/RenderToStringResultTests.cs
@@ -0,0 +1,71 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Collections.Generic;
+using Microsoft.AspNetCore.SpaServices.Prerendering;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.SpaServices.Tests
+{
+    public class RenderToStringResultTest
+    {
+        [Fact]
+        public void HandlesNullGlobals()
+        {
+            // Arrange
+            var renderToStringResult = new RenderToStringResult();
+            renderToStringResult.Globals = null;
+
+            // Act
+            var actualScript = renderToStringResult.CreateGlobalsAssignmentScript();
+
+            // Assert
+            Assert.Equal(string.Empty, actualScript);
+        }
+
+        [Fact]
+        public void HandlesGlobalsWithMultipleProperties()
+        {
+            // Arrange
+            var renderToStringResult = new RenderToStringResult();
+            renderToStringResult.Globals = ToJObject(new
+            {
+                FirstProperty = "first value",
+                SecondProperty = new[] { "Array entry 0", "Array entry 1" }
+            });
+
+            // Act
+            var actualScript = renderToStringResult.CreateGlobalsAssignmentScript();
+
+            // Assert
+            var expectedScript = @"window[""FirstProperty""] = JSON.parse(""\u0022first value\u0022"");" +
+                @"window[""SecondProperty""] = JSON.parse(""[\u0022Array entry 0\u0022,\u0022Array entry 1\u0022]"");";
+            Assert.Equal(expectedScript, actualScript);
+        }
+
+        [Fact]
+        public void HandlesGlobalsWithCorrectStringEncoding()
+        {
+            // Arrange
+            var renderToStringResult = new RenderToStringResult();
+            renderToStringResult.Globals = ToJObject(new Dictionary<string, object>
+            {
+                { "Va<l'u\"e", "</tag>\"'}\u260E" }
+            });
+
+            // Act
+            var actualScript = renderToStringResult.CreateGlobalsAssignmentScript();
+
+            // Assert
+            var expectedScript = @"window[""Va\u003Cl\u0027u\u0022e""] = JSON.parse(""\u0022\u003C/tag\u003E\\\u0022\u0027}\u260E\u0022"");";
+            Assert.Equal(expectedScript, actualScript);
+        }
+
+        private static JObject ToJObject(object value)
+        {
+            return JsonConvert.DeserializeObject<JObject>(JsonConvert.SerializeObject(value));
+        }
+    }
+}