Ensure SystemTextJsonHelper always HTML encodes output. (#12808)

* Ensure JsonSerializer always HTML encodes output.

* Update JsonOptions.JsonSerializerOptions to use encoder scheme that does not encode non-ASCII
  characters by default. This makes the encoding comparable to Json.NET's defaults
* In SystemTextJsonHelper, ensure that the content is always HTML-encoded
* Unskip skipped test

Fixes #9946
Fixes #11459

Author: pranavkm

src/Mvc/Mvc.Core/ref/Microsoft.AspNetCore.Mvc.Core.netcoreapp3.0.cs

@@ -2210,7 +2210,7 @@ public SystemTextJsonInputFormatter(Microsoft.AspNetCore.Mvc.JsonOptions options
     }
     public partial class SystemTextJsonOutputFormatter : Microsoft.AspNetCore.Mvc.Formatters.TextOutputFormatter
     {
-        public SystemTextJsonOutputFormatter(Microsoft.AspNetCore.Mvc.JsonOptions options) { }
+        public SystemTextJsonOutputFormatter(System.Text.Json.JsonSerializerOptions jsonSerializerOptions) { }
         public System.Text.Json.JsonSerializerOptions SerializerOptions { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         [System.Diagnostics.DebuggerStepThroughAttribute]
         public sealed override System.Threading.Tasks.Task WriteResponseBodyAsync(Microsoft.AspNetCore.Mvc.Formatters.OutputFormatterWriteContext context, System.Text.Encoding selectedEncoding) { throw null; }

src/Mvc/Mvc.Core/src/Formatters/SystemTextJsonOutputFormatter.cs

@@ -4,6 +4,7 @@
 using System;
 using System.IO;
 using System.Text;
+using System.Text.Encodings.Web;
 using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
@@ -17,14 +18,13 @@ namespace Microsoft.AspNetCore.Mvc.Formatters
     /// </summary>
     public class SystemTextJsonOutputFormatter : TextOutputFormatter
     {
-
         /// <summary>
         /// Initializes a new <see cref="SystemTextJsonOutputFormatter"/> instance.
         /// </summary>
-        /// <param name="options">The <see cref="JsonOptions"/>.</param>
-        public SystemTextJsonOutputFormatter(JsonOptions options)
+        /// <param name="jsonSerializerOptions">The <see cref="JsonSerializerOptions"/>.</param>
+        public SystemTextJsonOutputFormatter(JsonSerializerOptions jsonSerializerOptions)
         {
-            SerializerOptions = options.JsonSerializerOptions;
+            SerializerOptions = jsonSerializerOptions;
 
             SupportedEncodings.Add(Encoding.UTF8);
             SupportedEncodings.Add(Encoding.Unicode);
@@ -33,6 +33,19 @@ public SystemTextJsonOutputFormatter(JsonOptions options)
             SupportedMediaTypes.Add(MediaTypeHeaderValues.ApplicationAnyJsonSyntax);
         }
 
+        internal static SystemTextJsonOutputFormatter CreateFormatter(JsonOptions jsonOptions)
+        {
+            var jsonSerializerOptions = jsonOptions.JsonSerializerOptions;
+
+            if (jsonSerializerOptions.Encoder is null)
+            {
+                // If the user hasn't explicitly configured the encoder, use the less strict encoder that does not encode all non-ASCII characters.
+                jsonSerializerOptions = jsonSerializerOptions.Copy(JavaScriptEncoder.UnsafeRelaxedJsonEscaping);
+            }
+
+            return new SystemTextJsonOutputFormatter(jsonSerializerOptions);
+        }
+
         /// <summary>
         /// Gets the <see cref="JsonSerializerOptions"/> used to configure the <see cref="JsonSerializer"/>.
         /// </summary>

src/Mvc/Mvc.Core/src/Infrastructure/JsonSerializerOptionsCopyConstructor.cs

@@ -0,0 +1,36 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Text.Encodings.Web;
+
+namespace System.Text.Json
+{
+    internal static class JsonSerializerOptionsCopyConstructor
+    {
+        public static JsonSerializerOptions Copy(this JsonSerializerOptions serializerOptions, JavaScriptEncoder encoder)
+        {
+            var copiedOptions = new JsonSerializerOptions
+            {
+                AllowTrailingCommas = serializerOptions.AllowTrailingCommas,
+                DefaultBufferSize = serializerOptions.DefaultBufferSize,
+                DictionaryKeyPolicy = serializerOptions.DictionaryKeyPolicy,
+                IgnoreNullValues = serializerOptions.IgnoreNullValues,
+                IgnoreReadOnlyProperties = serializerOptions.IgnoreReadOnlyProperties,
+                MaxDepth = serializerOptions.MaxDepth,
+                PropertyNameCaseInsensitive = serializerOptions.PropertyNameCaseInsensitive,
+                PropertyNamingPolicy = serializerOptions.PropertyNamingPolicy,
+                ReadCommentHandling = serializerOptions.ReadCommentHandling,
+                WriteIndented = serializerOptions.WriteIndented
+            };
+
+            for (var i = 0; i < serializerOptions.Converters.Count; i++)
+            {
+                copiedOptions.Converters.Add(serializerOptions.Converters[i]);
+            }
+
+            copiedOptions.Encoder = encoder;
+
+            return copiedOptions;
+        }
+    }
+}

src/Mvc/Mvc.Core/src/Infrastructure/MvcCoreMvcOptionsSetup.cs

@@ -87,7 +87,9 @@ public void Configure(MvcOptions options)
             options.OutputFormatters.Add(new HttpNoContentOutputFormatter());
             options.OutputFormatters.Add(new StringOutputFormatter());
             options.OutputFormatters.Add(new StreamOutputFormatter());
-            options.OutputFormatters.Add(new SystemTextJsonOutputFormatter(_jsonOptions.Value));
+
+            var jsonOutputFormatter = SystemTextJsonOutputFormatter.CreateFormatter(_jsonOptions.Value);
+            options.OutputFormatters.Add(jsonOutputFormatter);
 
             // Set up ValueProviders
             options.ValueProviderFactories.Add(new FormValueProviderFactory());

src/Mvc/Mvc.Core/test/CreatedAtActionResultTests.cs

@@ -91,7 +91,7 @@ private static IServiceProvider CreateServices()
         {
             var options = Options.Create(new MvcOptions());
             options.Value.OutputFormatters.Add(new StringOutputFormatter());
-            options.Value.OutputFormatters.Add(new SystemTextJsonOutputFormatter(new JsonOptions()));
+            options.Value.OutputFormatters.Add(SystemTextJsonOutputFormatter.CreateFormatter(new JsonOptions()));
 
             var services = new ServiceCollection();
             services.AddSingleton<IActionResultExecutor<ObjectResult>>(new ObjectResultExecutor(

src/Mvc/Mvc.Core/test/CreatedAtRouteResultTests.cs

@@ -104,7 +104,7 @@ private static IServiceProvider CreateServices()
         {
             var options = Options.Create(new MvcOptions());
             options.Value.OutputFormatters.Add(new StringOutputFormatter());
-            options.Value.OutputFormatters.Add(new SystemTextJsonOutputFormatter(new JsonOptions()));
+            options.Value.OutputFormatters.Add(SystemTextJsonOutputFormatter.CreateFormatter(new JsonOptions()));
 
             var services = new ServiceCollection();
             services.AddSingleton<IActionResultExecutor<ObjectResult>>(new ObjectResultExecutor(

src/Mvc/Mvc.Core/test/CreatedResultTests.cs

@@ -92,7 +92,7 @@ private static IServiceProvider CreateServices()
         {
             var options = Options.Create(new MvcOptions());
             options.Value.OutputFormatters.Add(new StringOutputFormatter());
-            options.Value.OutputFormatters.Add(new SystemTextJsonOutputFormatter(new JsonOptions()));
+            options.Value.OutputFormatters.Add(SystemTextJsonOutputFormatter.CreateFormatter(new JsonOptions()));
 
             var services = new ServiceCollection();
             services.AddSingleton<IActionResultExecutor<ObjectResult>>(new ObjectResultExecutor(

src/Mvc/Mvc.Core/test/Formatters/FormatFilterTest.cs

@@ -465,7 +465,7 @@ private void Initialize(
                 // Set up default output formatters.
                 MvcOptions.OutputFormatters.Add(new HttpNoContentOutputFormatter());
                 MvcOptions.OutputFormatters.Add(new StringOutputFormatter());
-                MvcOptions.OutputFormatters.Add(new SystemTextJsonOutputFormatter(new JsonOptions()));
+                MvcOptions.OutputFormatters.Add(SystemTextJsonOutputFormatter.CreateFormatter(new JsonOptions()));
 
                 // Set up default mapping for json extensions to content type
                 MvcOptions.FormatterMappings.SetMediaTypeMappingForFormat(

src/Mvc/Mvc.Core/test/Formatters/JsonOutputFormatterTestBase.cs

@@ -76,6 +76,71 @@ public static TheoryData<string, string, bool> WriteCorrectCharacterEncoding
             }
         }
 
+        [Theory]
+        [MemberData(nameof(WriteCorrectCharacterEncoding))]
+        public async Task WriteToStreamAsync_UsesCorrectCharacterEncoding(
+           string content,
+           string encodingAsString,
+           bool isDefaultEncoding)
+        {
+            // Arrange
+            var formatter = GetOutputFormatter();
+            var expectedContent = "\"" + content + "\"";
+            var mediaType = MediaTypeHeaderValue.Parse(string.Format("application/json; charset={0}", encodingAsString));
+            var encoding = CreateOrGetSupportedEncoding(formatter, encodingAsString, isDefaultEncoding);
+
+
+            var body = new MemoryStream();
+            var actionContext = GetActionContext(mediaType, body);
+
+            var outputFormatterContext = new OutputFormatterWriteContext(
+                actionContext.HttpContext,
+                new TestHttpResponseStreamWriterFactory().CreateWriter,
+                typeof(string),
+                content)
+            {
+                ContentType = new StringSegment(mediaType.ToString()),
+            };
+
+            // Act
+            await formatter.WriteResponseBodyAsync(outputFormatterContext, Encoding.GetEncoding(encodingAsString));
+
+            // Assert
+            var actualContent = encoding.GetString(body.ToArray());
+            Assert.Equal(expectedContent, actualContent, StringComparer.OrdinalIgnoreCase);
+        }
+
+        [Fact]
+        public async Task WriteResponseBodyAsync_Encodes()
+        {
+            // Arrange
+            var formatter = GetOutputFormatter();
+            var expectedContent = "{\"key\":\"Hello \\n <b>Wörld</b>\"}";
+            var content = new { key = "Hello \n <b>Wörld</b>" };
+
+            var mediaType = MediaTypeHeaderValue.Parse("application/json; charset=utf-8");
+            var encoding = CreateOrGetSupportedEncoding(formatter, "utf-8", isDefaultEncoding: true);
+
+            var body = new MemoryStream();
+            var actionContext = GetActionContext(mediaType, body);
+
+            var outputFormatterContext = new OutputFormatterWriteContext(
+                actionContext.HttpContext,
+                new TestHttpResponseStreamWriterFactory().CreateWriter,
+                typeof(string),
+                content)
+            {
+                ContentType = new StringSegment(mediaType.ToString()),
+            };
+
+            // Act
+            await formatter.WriteResponseBodyAsync(outputFormatterContext, Encoding.GetEncoding("utf-8"));
+
+            // Assert
+            var actualContent = encoding.GetString(body.ToArray());
+            Assert.Equal(expectedContent, actualContent);
+        }
+
         [Fact]
         public async Task ErrorDuringSerialization_DoesNotCloseTheBrackets()
         {

src/Mvc/Mvc.Core/test/Formatters/SystemTextJsonOutputFormatterTest.cs

@@ -1,56 +1,13 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
-using System.IO;
-using System.Text;
-using System.Text.Encodings.Web;
-using System.Threading.Tasks;
-using Microsoft.Extensions.Primitives;
-using Microsoft.Net.Http.Headers;
-using Xunit;
-
 namespace Microsoft.AspNetCore.Mvc.Formatters
 {
     public class SystemTextJsonOutputFormatterTest : JsonOutputFormatterTestBase
     {
         protected override TextOutputFormatter GetOutputFormatter()
         {
-            return new SystemTextJsonOutputFormatter(new JsonOptions());
-        }
-
-        [Theory]
-        [MemberData(nameof(WriteCorrectCharacterEncoding))]
-        public async Task WriteToStreamAsync_UsesCorrectCharacterEncoding(
-           string content,
-           string encodingAsString,
-           bool isDefaultEncoding)
-        {
-            // Arrange
-            var formatter = GetOutputFormatter();
-            var expectedContent = "\"" + JavaScriptEncoder.Default.Encode(content) + "\"";
-            var mediaType = MediaTypeHeaderValue.Parse(string.Format("application/json; charset={0}", encodingAsString));
-            var encoding = CreateOrGetSupportedEncoding(formatter, encodingAsString, isDefaultEncoding);
-
-
-            var body = new MemoryStream();
-            var actionContext = GetActionContext(mediaType, body);
-
-            var outputFormatterContext = new OutputFormatterWriteContext(
-                actionContext.HttpContext,
-                new TestHttpResponseStreamWriterFactory().CreateWriter,
-                typeof(string),
-                content)
-            {
-                ContentType = new StringSegment(mediaType.ToString()),
-            };
-
-            // Act
-            await formatter.WriteResponseBodyAsync(outputFormatterContext, Encoding.GetEncoding(encodingAsString));
-
-            // Assert
-            var actualContent = encoding.GetString(body.ToArray());
-            Assert.Equal(expectedContent, actualContent, StringComparer.OrdinalIgnoreCase);
+            return SystemTextJsonOutputFormatter.CreateFormatter(new JsonOptions());
         }
     }
 }

src/Mvc/Mvc.Core/test/HttpNotFoundObjectResultTest.cs

@@ -69,7 +69,7 @@ private static IServiceProvider CreateServices()
         {
             var options = Options.Create(new MvcOptions());
             options.Value.OutputFormatters.Add(new StringOutputFormatter());
-            options.Value.OutputFormatters.Add(new SystemTextJsonOutputFormatter(new JsonOptions()));
+            options.Value.OutputFormatters.Add(SystemTextJsonOutputFormatter.CreateFormatter(new JsonOptions()));
 
             var services = new ServiceCollection();
             services.AddSingleton<IActionResultExecutor<ObjectResult>>(new ObjectResultExecutor(

src/Mvc/Mvc.Core/test/HttpOkObjectResultTest.cs

@@ -70,7 +70,7 @@ private static IServiceProvider CreateServices()
         {
             var options = Options.Create(new MvcOptions());
             options.Value.OutputFormatters.Add(new StringOutputFormatter());
-            options.Value.OutputFormatters.Add(new SystemTextJsonOutputFormatter(new JsonOptions()));
+            options.Value.OutputFormatters.Add(SystemTextJsonOutputFormatter.CreateFormatter(new JsonOptions()));
 
             var services = new ServiceCollection();
             services.AddSingleton<IActionResultExecutor<ObjectResult>>(new ObjectResultExecutor(

src/Mvc/Mvc.ViewFeatures/src/Rendering/SystemTextJsonHelper.cs

@@ -2,6 +2,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System.Text.Encodings.Web;
 using System.Text.Json;
 using Microsoft.AspNetCore.Html;
 using Microsoft.Extensions.Options;
@@ -10,20 +11,30 @@ namespace Microsoft.AspNetCore.Mvc.Rendering
 {
     internal class SystemTextJsonHelper : IJsonHelper
     {
-        private readonly JsonOptions _options;
+        private readonly JsonSerializerOptions _htmlSafeJsonSerializerOptions;
 
         public SystemTextJsonHelper(IOptions<JsonOptions> options)
         {
-            _options = options.Value;
+            _htmlSafeJsonSerializerOptions = GetHtmlSafeSerializerOptions(options.Value.JsonSerializerOptions);
         }
 
         /// <inheritdoc />
         public IHtmlContent Serialize(object value)
         {
             // JsonSerializer always encodes non-ASCII chars, so we do not need
             // to do anything special with the SerializerOptions
-            var json = JsonSerializer.Serialize(value, _options.JsonSerializerOptions);
+            var json = JsonSerializer.Serialize(value, _htmlSafeJsonSerializerOptions);
             return new HtmlString(json);
         }
+
+        private static JsonSerializerOptions GetHtmlSafeSerializerOptions(JsonSerializerOptions serializerOptions)
+        {
+            if (serializerOptions.Encoder is null || serializerOptions.Encoder == JavaScriptEncoder.Default)
+            {
+                return serializerOptions;
+            }
+
+            return serializerOptions.Copy(JavaScriptEncoder.Default);
+        }
     }
 }

src/Mvc/Mvc.ViewFeatures/test/Rendering/JsonHelperTestBase.cs

@@ -25,7 +25,7 @@ public virtual void Serialize_EscapesHtmlByDefault()
 
             // Assert
             var htmlString = Assert.IsType<HtmlString>(result);
-            Assert.Equal(expectedOutput, htmlString.ToString());
+            Assert.Equal(expectedOutput, htmlString.ToString(), ignoreCase: true);
         }
 
         [Fact]
@@ -71,14 +71,14 @@ public virtual void Serialize_WithNonAsciiChars()
             {
                 HTML = $"Hello pingüino"
             };
-            var expectedOutput = "{\"html\":\"Hello ping\\u00fcino\"}";
+            var expectedOutput = "{\"html\":\"Hello pingüino\"}";
 
             // Act
             var result = helper.Serialize(obj);
 
             // Assert
             var htmlString = Assert.IsType<HtmlString>(result);
-            Assert.Equal(expectedOutput, htmlString.ToString());
+            Assert.Equal(expectedOutput, htmlString.ToString(), ignoreCase: true);
         }
 
         [Fact]
@@ -99,5 +99,25 @@ public void Serialize_WithHTMLEntities()
             var htmlString = Assert.IsType<HtmlString>(result);
             Assert.Equal(expectedOutput, htmlString.ToString());
         }
+
+
+        [Fact]
+        public virtual void Serialize_WithHTMLNonAsciiAndControlChars()
+        {
+            // Arrange
+            var helper = GetJsonHelper();
+            var obj = new
+            {
+                HTML = "<b>Hello \n pingüino</b>"
+            };
+            var expectedOutput = "{\"html\":\"\\u003cb\\u003eHello \\n pingüino\\u003c/b\\u003e\"}";
+
+            // Act
+            var result = helper.Serialize(obj);
+
+            // Assert
+            var htmlString = Assert.IsType<HtmlString>(result);
+            Assert.Equal(expectedOutput, htmlString.ToString());
+        }
     }
 }