Ensure content is HTML encoded

src/GovUk.Frontend.AspNetCore/HtmlGeneration/ComponentGenerator.CharacterCount.cs

@@ -1,3 +1,4 @@
+using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Mvc.ViewFeatures;
@@ -50,7 +51,7 @@ IHtmlContent GenerateHint()
                 var content = maxWords.HasValue ?
                     $"You can enter up to {maxWords} words" :
                     $"You can enter up to {maxLength} characters";
-                var hintContent = new HtmlString(content);
+                var hintContent = new HtmlString(HtmlEncoder.Default.Encode(content));
 
                 var attributes = countMessageAttributes.ToAttributeDictionary();
                 attributes.MergeCssClass("govuk-character-count__message");

src/GovUk.Frontend.AspNetCore/HtmlGeneration/ComponentGenerator.NotificationBanner.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Mvc.ViewFeatures;
@@ -43,10 +44,10 @@ public TagBuilder GenerateNotificationBanner(
                 NotificationBannerDefaultSuccessRole :
                 NotificationBannerDefaultRole;
 
-            titleContent ??= new HtmlString(
+            titleContent ??= new HtmlString(HtmlEncoder.Default.Encode(
                 type == NotificationBannerType.Success ?
                     NotificationBannerDefaultSuccessTitle :
-                    NotificationBannerDefaultTitle);
+                    NotificationBannerDefaultTitle));
 
             titleId ??= NotificationBannerDefaultTitleId;
 

src/GovUk.Frontend.AspNetCore/HtmlGeneration/ComponentGenerator.Pagination.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.AspNetCore.Mvc.ViewFeatures;
@@ -67,7 +68,7 @@ public TagBuilder GeneratePagination(
                     title.AddCssClass("govuk-pagination__link-title--decorated");
                 }
 
-                title.InnerHtml.AppendHtml(previous.Text ?? new HtmlString(PaginationDefaultPreviousText));
+                title.InnerHtml.AppendHtml(previous.Text ?? new HtmlString(HtmlEncoder.Default.Encode(PaginationDefaultPreviousText)));
 
                 link.InnerHtml.AppendHtml(title);
 
@@ -187,7 +188,7 @@ public TagBuilder GeneratePagination(
                     title.AddCssClass("govuk-pagination__link-title--decorated");
                 }
 
-                title.InnerHtml.AppendHtml(next.Text ?? new HtmlString(PaginationDefaultNextText));
+                title.InnerHtml.AppendHtml(next.Text ?? new HtmlString(HtmlEncoder.Default.Encode(PaginationDefaultNextText)));
 
                 link.InnerHtml.AppendHtml(title);
 

src/GovUk.Frontend.AspNetCore/TagHelpers/BackLinkTagHelper.cs

@@ -1,3 +1,4 @@
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
@@ -15,7 +16,7 @@ public class BackLinkTagHelper : TagHelper
     {
         internal const string TagName = "govuk-back-link";
 
-        private static readonly HtmlString _defaultContent = new HtmlString(ComponentGenerator.BackLinkDefaultContent);
+        private static readonly HtmlString _defaultContent = new HtmlString(HtmlEncoder.Default.Encode(ComponentGenerator.BackLinkDefaultContent));
 
         private readonly IGovUkHtmlGenerator _htmlGenerator;
 

src/GovUk.Frontend.AspNetCore/TagHelpers/CharacterCountTagHelper.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Text.Encodings.Web;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
@@ -246,7 +247,8 @@ TagBuilder GenerateTextArea(bool haveError)
                 var resolvedName = ResolveName();
 
                 var resolvedContent = characterCountContext.Value ??
-                    new HtmlString(AspFor != null ? ModelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name) : string.Empty);
+                    new HtmlString(HtmlEncoder.Default.Encode(
+                        AspFor != null ? ModelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name) ?? string.Empty : string.Empty));
 
                 var resolvedTextAreaAttributes = TextAreaAttributes.ToAttributeDictionary();
                 resolvedTextAreaAttributes.MergeCssClass("govuk-js-character-count");

src/GovUk.Frontend.AspNetCore/TagHelpers/DateInputTagHelper.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Text.Encodings.Web;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using GovUk.Frontend.AspNetCore.ModelBinding;
 using Microsoft.AspNetCore.Html;
@@ -268,7 +269,7 @@ DateInputItem CreateDateInputItem(
 
                 var resolvedItemId = contextItem?.Id ?? $"{resolvedId}.{contextItem?.Name ?? defaultName}";
 
-                var resolvedItemLabel = contextItem?.LabelContent ?? new HtmlString(defaultLabel);
+                var resolvedItemLabel = contextItem?.LabelContent ?? new HtmlString(HtmlEncoder.Default.Encode(defaultLabel));
 
                 var resolvedItemHaveError = haveError && (errorItems & errorSource) != 0;
 

src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorMessageTagHelper.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Diagnostics.CodeAnalysis;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
@@ -92,7 +93,7 @@ await output.GetChildContentAsync() :
 
                 if (validationMessage != null)
                 {
-                    resolvedContent = new HtmlString(validationMessage);
+                    resolvedContent = new HtmlString(HtmlEncoder.Default.Encode(validationMessage));
                 }
             }
 

src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorSummaryItemTagHelper.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using GovUk.Frontend.AspNetCore.ModelBinding;
@@ -100,7 +101,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
                     return;
                 }
 
-                itemContent = new HtmlString(validationMessage);
+                itemContent = new HtmlString(HtmlEncoder.Default.Encode(validationMessage));
             }
 
             string? resolvedHref = null;

src/GovUk.Frontend.AspNetCore/TagHelpers/ErrorSummaryTagHelper.cs

@@ -1,3 +1,4 @@
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
@@ -62,7 +63,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
 
             var tagBuilder = _htmlGenerator.GenerateErrorSummary(
                 DisableAutoFocus,
-                errorSummaryContext.Title?.Content ?? new HtmlString(ComponentGenerator.ErrorSummaryDefaultTitle),
+                errorSummaryContext.Title?.Content ?? new HtmlString(HtmlEncoder.Default.Encode(ComponentGenerator.ErrorSummaryDefaultTitle)),
                 errorSummaryContext.Title?.Attributes,
                 errorSummaryContext.Description?.Content,
                 errorSummaryContext.Description?.Attributes,

src/GovUk.Frontend.AspNetCore/TagHelpers/FormErrorSummaryTagHelper.cs

@@ -1,4 +1,5 @@
 using System.Linq;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
@@ -75,7 +76,7 @@ public override async Task ProcessAsync(TagHelperContext context, TagHelperOutpu
 
             var errorSummary = _htmlGenerator.GenerateErrorSummary(
                 ComponentGenerator.ErrorSummaryDefaultDisableAutoFocus,
-                titleContent: new HtmlString(ComponentGenerator.ErrorSummaryDefaultTitle),
+                titleContent: new HtmlString(HtmlEncoder.Default.Encode(ComponentGenerator.ErrorSummaryDefaultTitle)),
                 titleAttributes: null,
                 descriptionContent: null,
                 descriptionAttributes: null,

src/GovUk.Frontend.AspNetCore/TagHelpers/FormGroupTagHelperBase.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Diagnostics.CodeAnalysis;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
@@ -129,7 +130,7 @@ private protected virtual TagBuilder CreateTagBuilder(bool haveError, IHtmlConte
 
                 if (validationMessage != null)
                 {
-                    content = new HtmlString(validationMessage);
+                    content = new HtmlString(HtmlEncoder.Default.Encode(validationMessage));
                 }
             }
 
@@ -175,7 +176,7 @@ void AddErrorToFormErrorContext()
 
                 if (description != null)
                 {
-                    content = new HtmlString(description);
+                    content = new HtmlString(HtmlEncoder.Default.Encode(description));
                 }
             }
 
@@ -208,15 +209,15 @@ internal IHtmlContent GenerateLabel(FormGroupContext formGroupContext)
             var attributes = formGroupContext.Label?.Attributes;
 
             var resolvedContent = content ??
-                new HtmlString(ModelHelper.GetDisplayName(ViewContext!, AspFor!.ModelExplorer, AspFor.Name));
+                new HtmlString(HtmlEncoder.Default.Encode(ModelHelper.GetDisplayName(ViewContext!, AspFor!.ModelExplorer, AspFor.Name) ?? string.Empty));
 
             return Generator.GenerateLabel(resolvedIdPrefix, isPageHeading, resolvedContent, attributes);
         }
 
         internal IHtmlContent ResolveFieldsetLegendContent(FormGroupFieldsetContext fieldsetContext)
         {
             var resolvedFieldsetLegendContent = fieldsetContext.Legend?.Content ??
-                (AspFor is not null ? new HtmlString(ModelHelper.GetDisplayName(ViewContext!, AspFor.ModelExplorer, AspFor.Name)) : null);
+                (AspFor is not null ? new HtmlString(HtmlEncoder.Default.Encode(ModelHelper.GetDisplayName(ViewContext!, AspFor.ModelExplorer, AspFor.Name) ?? string.Empty)) : null);
 
             if (resolvedFieldsetLegendContent is null)
             {

src/GovUk.Frontend.AspNetCore/TagHelpers/TextAreaTagHelper.cs

@@ -1,4 +1,5 @@
 using System.Collections.Generic;
+using System.Text.Encodings.Web;
 using GovUk.Frontend.AspNetCore.HtmlGeneration;
 using Microsoft.AspNetCore.Html;
 using Microsoft.AspNetCore.Mvc.Rendering;
@@ -134,7 +135,7 @@ TagBuilder GenerateTextArea(bool haveError)
                 var resolvedName = ResolveName();
 
                 var resolvedContent = textAreaContext.Value ??
-                    new HtmlString(AspFor != null ? ModelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name) : string.Empty);
+                    new HtmlString(AspFor != null ? HtmlEncoder.Default.Encode(ModelHelper.GetModelValue(ViewContext!, AspFor.ModelExplorer, AspFor.Name) ?? string.Empty) : string.Empty);
 
                 var resolvedTextAreaAttributes = TextAreaAttributes.ToAttributeDictionary();
                 resolvedTextAreaAttributes.MergeCssClass("govuk-js-textarea");