HTML-encode TagHelper titles and texts for security

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Breadcrumb/AbpBreadcrumbItemTagHelperService.cs

@@ -46,7 +46,7 @@ protected virtual string GetInnerHtml(TagHelperContext context, TagHelperOutput
 
         var link = new TagBuilder("a");
         link.Attributes.Add("href", TagHelper.Href);
-        link.InnerHtml.AppendHtml(TagHelper.Title);
+        link.InnerHtml.AppendHtml(_encoder.Encode(TagHelper.Title));
         return link.ToHtmlString();
     }
 }

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Button/AbpButtonTagHelperService.cs

@@ -2,6 +2,7 @@
 using Microsoft.AspNetCore.Razor.TagHelpers;
 using Microsoft.Extensions.Localization;
 using System;
+using System.Text.Encodings.Web;
 
 namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Button;
 
@@ -12,7 +13,8 @@ public class AbpButtonTagHelperService : AbpButtonTagHelperServiceBase<AbpButton
 
     protected IStringLocalizer<AbpUiResource> L { get; }
 
-    public AbpButtonTagHelperService(IStringLocalizer<AbpUiResource> localizer)
+    public AbpButtonTagHelperService(HtmlEncoder encoder, IStringLocalizer<AbpUiResource> localizer)
+        : base(encoder)
     {
         L = localizer;
     }

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Button/AbpButtonTagHelperServiceBase.cs

@@ -1,13 +1,21 @@
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Razor.TagHelpers;
 using System;
+using System.Text.Encodings.Web;
 using Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.Microsoft.AspNetCore.Razor.TagHelpers;
 
 namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Button;
 
 public abstract class AbpButtonTagHelperServiceBase<TTagHelper> : AbpTagHelperService<TTagHelper>
     where TTagHelper : TagHelper, IButtonTagHelperBase
 {
+    protected HtmlEncoder Encoder { get; }
+
+    protected AbpButtonTagHelperServiceBase(HtmlEncoder encoder)
+    {
+        Encoder = encoder;
+    }
+
     public override void Process(TagHelperContext context, TagHelperOutput output)
     {
         NormalizeTagMode(context, output);
@@ -69,7 +77,7 @@ protected virtual void AddText(TagHelperContext context, TagHelperOutput output)
         }
 
         var span = new TagBuilder("span");
-        span.InnerHtml.AppendHtml(TagHelper.Text!);
+        span.InnerHtml.AppendHtml(Encoder.Encode(TagHelper.Text!));
         output.Content.AppendHtml(span);
     }
 

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Button/AbpLinkButtonTagHelperService.cs

@@ -1,10 +1,17 @@
 using System;
+using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Razor.TagHelpers;
 
 namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Button;
 
 public class AbpLinkButtonTagHelperService : AbpButtonTagHelperServiceBase<AbpLinkButtonTagHelper>
 {
+    public AbpLinkButtonTagHelperService(HtmlEncoder encoder)
+        : base(encoder)
+    {
+
+    }
+
     public override void Process(TagHelperContext context, TagHelperOutput output)
     {
         base.Process(context, output);

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Card/AbpCardBodyTagHelperService.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Razor.TagHelpers;
 using Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.Microsoft.AspNetCore.Razor.TagHelpers;
@@ -7,6 +8,13 @@ namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Card;
 
 public class AbpCardBodyTagHelperService : AbpTagHelperService<AbpCardBodyTagHelper>
 {
+    protected HtmlEncoder Encoder { get; }
+
+    public AbpCardBodyTagHelperService(HtmlEncoder encoder)
+    {
+        Encoder = encoder;
+    }
+
     public override void Process(TagHelperContext context, TagHelperOutput output)
     {
         output.TagName = "div";
@@ -22,7 +30,7 @@ protected virtual void ProcessTitle(TagHelperOutput output)
         {
             var cardTitle = new TagBuilder(AbpCardTitleTagHelper.DefaultHeading.ToHtmlTag());
             cardTitle.AddCssClass("card-title");
-            cardTitle.InnerHtml.AppendHtml(TagHelper.Title!);
+            cardTitle.InnerHtml.AppendHtml(Encoder.Encode(TagHelper.Title!));
             output.PreContent.AppendHtml(cardTitle);
         }
     }
@@ -33,7 +41,7 @@ protected virtual void ProcessSubtitle(TagHelperOutput output)
         {
             var cardSubtitle = new TagBuilder(AbpCardSubtitleTagHelper.DefaultHeading.ToHtmlTag());
             cardSubtitle.AddCssClass("card-subtitle mb-2");
-            cardSubtitle.InnerHtml.AppendHtml(TagHelper.Subtitle!);
+            cardSubtitle.InnerHtml.AppendHtml(Encoder.Encode(TagHelper.Subtitle!));
             output.PreContent.AppendHtml(cardSubtitle);
         }
     }

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Carousel/AbpCarouselItemTagHelperService.cs

@@ -66,10 +66,10 @@ protected virtual void AddCaption(TagHelperContext context, TagHelperOutput outp
         }
 
         var title = new TagBuilder("h5");
-        title.InnerHtml.AppendHtml(TagHelper.CaptionTitle!);
+        title.InnerHtml.AppendHtml(_encoder.Encode(TagHelper.CaptionTitle!));
 
         var caption = new TagBuilder("p");
-        caption.InnerHtml.AppendHtml(TagHelper.Caption!);
+        caption.InnerHtml.AppendHtml(_encoder.Encode(TagHelper.Caption!));
 
         var wrapper = new TagBuilder("div");
         wrapper.AddCssClass("carousel-caption d-none d-md-block");

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Collapse/AbpAccordionItemTagHelperService.cs

@@ -2,13 +2,21 @@
 using Microsoft.AspNetCore.Razor.TagHelpers;
 using System;
 using System.Collections.Generic;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Extensions;
 
 namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Collapse;
 
 public class AbpAccordionItemTagHelperService : AbpTagHelperService<AbpAccordionItemTagHelper>
 {
+    protected HtmlEncoder Encoder { get; }
+
+    public AbpAccordionItemTagHelperService(HtmlEncoder encoder)
+    {
+        Encoder = encoder;
+    }
+
     public override async Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
     {
         SetRandomIdIfNotProvided();
@@ -32,7 +40,7 @@ protected virtual string GetAccordionHeaderItem(TagHelperContext context, TagHel
         button.Attributes.Add("data-bs-target", "#" + GetContentId());
         button.Attributes.Add("aria-expanded", "true");
         button.Attributes.Add("aria-controls", GetContentId());
-        button.InnerHtml.AppendHtml(TagHelper.Title);
+        button.InnerHtml.AppendHtml(Encoder.Encode(TagHelper.Title));
 
         var h5 = new TagBuilder("h5");
         h5.AddCssClass("mb-0");

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Form/AbpRadioInputTagHelperService.cs

@@ -7,17 +7,20 @@
 using System.Linq;
 using System.Reflection;
 using System.Text;
+using System.Text.Encodings.Web;
 using Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Extensions;
 
 namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Form;
 
 public class AbpRadioInputTagHelperService : AbpTagHelperService<AbpRadioInputTagHelper>
 {
     private readonly IAbpTagHelperLocalizer _tagHelperLocalizer;
+    private readonly HtmlEncoder _htmlEncoder;
 
-    public AbpRadioInputTagHelperService(IAbpTagHelperLocalizer tagHelperLocalizer)
+    public AbpRadioInputTagHelperService(IAbpTagHelperLocalizer tagHelperLocalizer, HtmlEncoder htmlEncoder)
     {
         _tagHelperLocalizer = tagHelperLocalizer;
+        _htmlEncoder = htmlEncoder;
     }
 
     public override void Process(TagHelperContext context, TagHelperOutput output)
@@ -74,7 +77,7 @@ protected virtual string GetHtml(TagHelperContext context, TagHelperOutput outpu
             var label = new TagBuilder("label");
             label.AddCssClass("form-check-label");
             label.Attributes.Add("for", id);
-            label.InnerHtml.AppendHtml(selectItem.Text);
+            label.InnerHtml.AppendHtml(_htmlEncoder.Encode(selectItem.Text));
 
             var wrapper = new TagBuilder("div");
             wrapper.AddCssClass("form-check" + inlineClass);

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Modal/AbpModalHeaderTagHelperService.cs

@@ -1,4 +1,5 @@
-using Localization.Resources.AbpUi;
+using System.Text.Encodings.Web;
+using Localization.Resources.AbpUi;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Razor.TagHelpers;
 using Microsoft.Extensions.Localization;
@@ -9,10 +10,12 @@ namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Modal;
 public class AbpModalHeaderTagHelperService : AbpTagHelperService<AbpModalHeaderTagHelper>
 {
     protected IStringLocalizer<AbpUiResource> L { get; }
+    protected HtmlEncoder Encoder { get; }
 
-    public AbpModalHeaderTagHelperService(IStringLocalizer<AbpUiResource> localizer)
+    public AbpModalHeaderTagHelperService(IStringLocalizer<AbpUiResource> localizer, HtmlEncoder encoder)
     {
         L = localizer;
+        Encoder = encoder;
     }
 
     public override void Process(TagHelperContext context, TagHelperOutput output)
@@ -27,7 +30,7 @@ protected virtual string CreatePreContent()
     {
         var title = new TagBuilder("h5");
         title.AddCssClass("modal-title");
-        title.InnerHtml.AppendHtml(TagHelper.Title);
+        title.InnerHtml.AppendHtml(Encoder.Encode(TagHelper.Title));
 
         return title.ToHtmlString();
     }

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Tab/AbpTabDropdownTagHelperService.cs

@@ -2,13 +2,21 @@
 using Microsoft.AspNetCore.Razor.TagHelpers;
 using System;
 using System.Collections.Generic;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Extensions;
 
 namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Tab;
 
 public class AbpTabDropdownTagHelperService : AbpTagHelperService<AbpTabDropdownTagHelper>
 {
+    protected HtmlEncoder Encoder { get; }
+
+    public AbpTabDropdownTagHelperService(HtmlEncoder encoder)
+    {
+        Encoder = encoder;
+    }
+
     public override async Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
     {
         if (string.IsNullOrWhiteSpace(TagHelper.Name))
@@ -40,7 +48,7 @@ protected virtual string GetTabHeaderItem(TagHelperContext context, TagHelperOut
         anchor.Attributes.Add("role", "button");
         anchor.Attributes.Add("aria-haspopup", "true");
         anchor.Attributes.Add("aria-expanded", "false");
-        anchor.InnerHtml.AppendHtml(title);
+        anchor.InnerHtml.AppendHtml(Encoder.Encode(title));
 
         var menu = new TagBuilder("div");
         menu.AddCssClass("dropdown-menu");

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Tab/AbpTabLinkTagHelperService.cs

@@ -1,13 +1,21 @@
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Razor.TagHelpers;
 using System.Collections.Generic;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Extensions;
 
 namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Tab;
 
 public class AbpTabLinkTagHelperService : AbpTagHelperService<AbpTabLinkTagHelper>
 {
+    protected HtmlEncoder Encoder { get; }
+
+    public AbpTabLinkTagHelperService(HtmlEncoder encoder)
+    {
+        Encoder = encoder;
+    }
+
     public override Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
     {
         SetPlaceholderForNameIfNotProvided();
@@ -35,7 +43,7 @@ protected virtual string GetTabHeaderItem(TagHelperContext context, TagHelperOut
             anchor.AddCssClass("dropdown-item");
             anchor.Attributes.Add("id", id);
             anchor.Attributes.Add("href", href);
-            anchor.InnerHtml.AppendHtml(title);
+            anchor.InnerHtml.AppendHtml(Encoder.Encode(title));
 
             return anchor.ToHtmlString();
         }
@@ -45,7 +53,7 @@ protected virtual string GetTabHeaderItem(TagHelperContext context, TagHelperOut
             anchor.AddCssClass("nav-link " + AbpTabItemActivePlaceholder);
             anchor.Attributes.Add("id", id);
             anchor.Attributes.Add("href", href);
-            anchor.InnerHtml.AppendHtml(title);
+            anchor.InnerHtml.AppendHtml(Encoder.Encode(title));
 
             var listItem = new TagBuilder("li");
             listItem.AddCssClass("nav-item");

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bootstrap/TagHelpers/Tab/AbpTabTagHelperService.cs

@@ -2,13 +2,21 @@
 using Microsoft.AspNetCore.Razor.TagHelpers;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Extensions;
 
 namespace Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Tab;
 
 public class AbpTabTagHelperService : AbpTagHelperService<AbpTabTagHelper>
 {
+    protected HtmlEncoder Encoder { get; }
+
+    public AbpTabTagHelperService(HtmlEncoder encoder)
+    {
+        Encoder = encoder;
+    }
+
     public override async Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
     {
         SetPlaceholderForNameIfNotProvided();
@@ -53,7 +61,7 @@ protected virtual string GetTabHeaderItem(TagHelperContext context, TagHelperOut
                 anchor.Attributes.Add(attr.Name, attr.Value.ToString());
             }
 
-            anchor.InnerHtml.AppendHtml(title);
+            anchor.InnerHtml.AppendHtml(Encoder.Encode(title));
 
             return anchor.ToHtmlString();
         }
@@ -73,7 +81,7 @@ protected virtual string GetTabHeaderItem(TagHelperContext context, TagHelperOut
                 anchor.Attributes.Add(attr.Name, attr.Value.ToString());
             }
 
-            anchor.InnerHtml.AppendHtml(title);
+            anchor.InnerHtml.AppendHtml(Encoder.Encode(title));
 
             var listItem = new TagBuilder("li");
             listItem.AddCssClass("nav-item");

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bundling/Volo/Abp/AspNetCore/Mvc/UI/Bundling/TagHelpers/AbpTagHelperScriptService.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Rendering;
@@ -19,9 +20,9 @@ public AbpTagHelperScriptService(
         IBundleManager bundleManager,
         IOptions<AbpBundlingOptions> options,
         IWebHostEnvironment hostingEnvironment) : base(
-            bundleManager,
-            options,
-            hostingEnvironment)
+        bundleManager,
+        options,
+        hostingEnvironment)
     {
     }
 

framework/src/Volo.Abp.AspNetCore.Mvc.UI.Bundling/Volo/Abp/AspNetCore/Mvc/UI/Bundling/TagHelpers/AbpTagHelperStyleService.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Rendering;
@@ -22,9 +23,9 @@ public AbpTagHelperStyleService(
         IOptions<AbpBundlingOptions> options,
         IWebHostEnvironment hostingEnvironment,
         IOptions<AbpSecurityHeadersOptions> securityHeadersOptions) : base(
-            bundleManager,
-            options,
-            hostingEnvironment)
+        bundleManager,
+        options,
+        hostingEnvironment)
     {
         SecurityHeadersOptions = securityHeadersOptions.Value;
     }