Double encoding of HTML entities in attribute values

[mlawry]

Sanitizing the following HTML fragment

<input type="text" name="my_name" value="&lt;insert name&gt;" />

Results in the following output:

<input type="text" name="my_name" value="&amp;lt;insert name&amp;gt;">

The intended text field display is <insert name> but after sanitation the display is <insert name>. There seems to be double encoding of the value= attribute value. I traced the source code and the reason seems to be

• After parsing but before sanitation (i.e. before calling this method), AngleSharp converts the HTML entities back into text and stores the value= attribute value as <insert name>.
• Sanitation of attributes converts greater than and less than characters into their equivalent HTML entities. See this line. Converted string is stored back into AngleSharp DOM as the new attribute value. So now the value= attribute value is <insert name>.
• When AngleSharp DOM is converted to HTML, AngleSharp's HtmlMarkupFormatter will again encode the attribute value, which results in the output value="<insert name>".

To resolve this issue, I think HtmlSanitizer shouldn't encode the greater than and less than characters at this line; AngleSharp will do it later so there is no need. What do you think?

[mganss]

Thanks for the report and the detailed analysis.

This behavior is a remnant from the time CsQuery was used instead of AngleSharp. The problem is that AngleSharp does not encode < and >, although it does encode &:

var parser = new HtmlParser(new Configuration().WithCss());
var html = @"<input type=""text"" name=""my_name"" value=""&lt;insert name&gt;"" />";
var dom = parser.Parse(html);
var html2 = dom.ToHtml();
 // → <html><head></head><body><input type="text" name="my_name" value="<insert name>"></body></html>

This behavior is by design.

Currently, I have no idea how to fix this using the HtmlMarkupFormatter.

[mlawry]

Ahh, OK. I didn't realise AngleSharp does not encode < and >, which is not required in the specs.

However, I don't see why HtmlSanitizer should choose to encode < and > in attributes values. As you've pointed out, it is not required by the specs. If dom.ToHtml() guarantees that attribute values are always surrounded by double quotes, then what's the worry?

It could be something that I don't understand, but what's the reason behind HtmlSanitizer encoding < and > characters?

[mganss]

It can be exploited in buggy browsers, e.g. see https://html5sec.org/#59 and https://html5sec.org/#102 (although I must admit I couldn't repro these in IETester).

[mganss]

I'm ashamed to say that there's even a test case for this issue (SanitizeEscapeAttrTest()) which I seem to have just adjusted to match the output of AngleSharp (double encoding) when the switch was done from CsQuery 😳

[mlawry]

Thanks for the fix @mganss. I was also thinking along the lines of a customised HtmlMarkupFormatter. Although in my case I prefer to encode attributes values using System.Web.Security.AntiXss.AntiXssEncoder, which I can now do using my own IMarkupFormatter.