Vulnerability in EPiServer.Forms
I parse the following HTML string with XhtmlString class:
var incorrect = new XhtmlString(@"<span class=""myclassname"" aria-hidden=""true""></span>");
After parsing, the object incorrect does not containt any fragments but it should contain a fragment containing the span element. If I test parsing
var correct = new XhtmlString(@"<span class=""myclassname"" aria-hidden=""true""> </span>");
the result is correct and I get the elements. (Note the whitespace character in span element.)
Is there any way to fix this other than adding a whitespace to all empty elements? I think the default behavior of XhtmlString parser should be to parse the element without checking whether there is content inside the element.
Note: I did not test it with other HTML elements but it shouldn't really matter which element we are using.
This happens when you use the constructor with the unparsedString parameter. As you can see, it's parsing your string into fragments.
I think the simplest thing would be to do something like this:
var correct = new XhtmlString();
correct.Fragments.Add(new StaticFragment(@"<span class=""myclassname"" aria-hidden=""true""></span>"));
which should work.
Alternatively, it you wanted to replace the default functionality you'd have to go ahead and implement your own IFragmentParser, that would be bit of an effort and you'd essentially have to duplicate the existing default implementation (albeit it removing the ParserOptions.TrimEmptyElements when initializing the HtmlStreamReader, which I believe is causing the behavior you're seeing). Anyway, I wouldn't recommend it—but it's an option.
Thank you Jake, it seems overkill to implement a custom IFragmentParser and keep ip updated. Having a whitespace in the element is much easier.