Fix HTML encoding issues from Snyk, and DisplayName for more elements for encoding

Author: Badgerati

examples/full.ps1

@@ -31,7 +31,7 @@ Start-PodeServer -StatusPageExceptions Show {
 
 
     # set the use of templates
-    Use-PodeWebTemplates -Title Test -Logo '/pode.web/images/icon.png' -Theme Dark
+    Use-PodeWebTemplates -Title 'Test' -Logo '/pode.web/images/icon.png' -Theme Dark
 
     # set login page 
     # -BackgroundImage '/images/galaxy.jpg'

src/Private/Helpers.ps1

@@ -345,14 +345,27 @@ function Protect-PodeWebValue
 
         [Parameter()]
         [string]
-        $Default
+        $Default,
+
+        [switch]
+        $Encode
     )
 
     if ([string]::IsNullOrWhiteSpace($Value)) {
-        return $Default
+        if ($Encode) {
+            return [System.Net.WebUtility]::HtmlEncode($Default)
+        }
+        else {
+            return $Default
+        }
     }
 
-    return $Value
+    if ($Encode) {
+        return [System.Net.WebUtility]::HtmlEncode($Value)
+    }
+    else {
+        return $Value
+    }
 }
 
 function Protect-PodeWebValues
@@ -367,18 +380,35 @@ function Protect-PodeWebValues
         $Default,
 
         [switch]
-        $EqualCount
+        $EqualCount,
+
+        [switch]
+        $Encode
     )
 
     if (($null -eq $Value) -or ($Value.Length -eq 0)) {
-        return $Default
+        if ($Encode -and ($null -ne $Default) -and ($Default.Length -gt 0)) {
+            return @(foreach ($v in $Default) {
+                [System.Net.WebUtility]::HtmlEncode($v)
+            })
+        }
+        else {
+            return $Default
+        }
     }
 
     if ($EqualCount -and ($Value.Length -ne $Default.Length)) {
         throw "Expected an equal number of values in both arrays"
     }
 
-    return $Value
+    if ($Encode) {
+        return @(foreach ($v in $Value) {
+            [System.Net.WebUtility]::HtmlEncode($v)
+        })
+    }
+    else {
+        return $Value
+    }
 }
 
 function Test-PodeWebRoute

src/Public/Elements.ps1

@@ -107,15 +107,15 @@ function New-PodeWebTextbox
         ObjectType = 'Textbox'
         Parent = $ElementData
         Name = $Name
-        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name)
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
         Type = $Type
         Multiline = $Multiline.IsPresent
         Placeholder = $Placeholder
         Size = $Size
         Width = (ConvertTo-PodeWebSize -Value $Width -Default 'auto' -Type '%')
         Preformat = $Preformat.IsPresent
-        HelpText = $HelpText
+        HelpText = [System.Net.WebUtility]::HtmlEncode($HelpText)
         ReadOnly = $ReadOnly.IsPresent
         IsAutoComplete = ($null -ne $AutoComplete)
         Value = $Value
@@ -206,7 +206,7 @@ function New-PodeWebFileUpload
         ObjectType = 'FileUpload'
         Parent = $ElementData
         Name = $Name
-        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name)
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
         Accept = ($Accept -join ',')
         CssClasses = ($CssClass -join ' ')
@@ -419,10 +419,10 @@ function New-PodeWebCheckbox
         ObjectType = 'Checkbox'
         Parent = $ElementData
         Name = $Name
-        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name)
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
         Options = @($Options)
-        DisplayOptions = @(Protect-PodeWebValues -Value $DisplayOptions -Default $Options -EqualCount)
+        DisplayOptions = @(Protect-PodeWebValues -Value $DisplayOptions -Default $Options -EqualCount -Encode)
         Inline = $Inline.IsPresent
         AsSwitch = $AsSwitch.IsPresent
         Checked = $Checked.IsPresent
@@ -486,10 +486,10 @@ function New-PodeWebRadio
         ObjectType = 'Radio'
         Parent = $ElementData
         Name = $Name
-        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name)
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
         Options = @($Options)
-        DisplayOptions = @(Protect-PodeWebValues -Value $DisplayOptions -Default $Options -EqualCount)
+        DisplayOptions = @(Protect-PodeWebValues -Value $DisplayOptions -Default $Options -EqualCount -Encode)
         Inline = $Inline.IsPresent
         Disabled = $Disabled.IsPresent
         CssClasses = ($CssClass -join ' ')
@@ -568,10 +568,10 @@ function New-PodeWebSelect
         ObjectType = 'Select'
         Parent = $ElementData
         Name = $Name
-        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name)
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
         Options = @($Options)
-        DisplayOptions = @(Protect-PodeWebValues -Value $DisplayOptions -Default $Options -EqualCount)
+        DisplayOptions = @(Protect-PodeWebValues -Value $DisplayOptions -Default $Options -EqualCount -Encode)
         ScriptBlock = $ScriptBlock
         IsDynamic = ($null -ne $ScriptBlock)
         SelectedValue = $SelectedValue
@@ -680,7 +680,7 @@ function New-PodeWebRange
         ObjectType = 'Range'
         Parent = $ElementData
         Name = $Name
-        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name)
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
         Value = $Value
         Min = $Min
@@ -702,6 +702,10 @@ function New-PodeWebProgress
         [string]
         $Name,
 
+        [Parameter()]
+        [string]
+        $DisplayName,
+
         [Parameter()]
         [string]
         $Id,
@@ -762,6 +766,7 @@ function New-PodeWebProgress
         ObjectType = 'Progress'
         Parent = $ElementData
         Name = $Name
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
         Value = $Value
         Min = $Min
@@ -1043,7 +1048,7 @@ function New-PodeWebLink
         Parent = $ElementData
         ID = $Id
         Source = (Add-PodeWebAppPath -Url $Source)
-        Value = $Value
+        Value = [System.Net.WebUtility]::HtmlEncode($Value)
         NewTab = $NewTab.IsPresent
         CssClasses = ($CssClass -join ' ')
         CssStyles = (ConvertTo-PodeWebStyles -Style $CssStyle)
@@ -1203,11 +1208,11 @@ function New-PodeWebCredential
 
         [Parameter()]
         [string]
-        $PlaceholderUsername,
+        $DisplayUsername,
 
         [Parameter()]
         [string]
-        $PlaceholderPassword,
+        $DisplayPassword,
 
         [Parameter()]
         [ValidateSet('Username', 'Password')]
@@ -1232,16 +1237,16 @@ function New-PodeWebCredential
         ObjectType = 'Credential'
         Parent = $ElementData
         Name = $Name
-        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name)
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
-        HelpText = $HelpText
+        HelpText = [System.Net.WebUtility]::HtmlEncode($HelpText)
         ReadOnly = $ReadOnly.IsPresent
         NoLabels = $NoLabels.IsPresent
         CssClasses = ($CssClass -join ' ')
         CssStyles = (ConvertTo-PodeWebStyles -Style $CssStyle)
         Placeholders = @{
-            Username = (Protect-PodeWebValue -Value $PlaceholderUsername -Default 'Username')
-            Password = (Protect-PodeWebValue -Value $PlaceholderPassword -Default 'Password')
+            Username = (Protect-PodeWebValue -Value $DisplayUsername -Default 'Username' -Encode)
+            Password = (Protect-PodeWebValue -Value $DisplayPassword -Default 'Password' -Encode)
         }
         Type = @($Type)
         Required = $Required.IsPresent
@@ -1276,6 +1281,14 @@ function New-PodeWebDateTime
         [hashtable]
         $CssStyle,
 
+        [Parameter()]
+        [string]
+        $DisplayDate,
+
+        [Parameter()]
+        [string]
+        $DisplayTime,
+
         [Parameter()]
         [ValidateSet('Date', 'Time')]
         [ValidateNotNullOrEmpty()]
@@ -1299,13 +1312,17 @@ function New-PodeWebDateTime
         ObjectType = 'DateTime'
         Parent = $ElementData
         Name = $Name
-        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name)
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
-        HelpText = $HelpText
+        HelpText = [System.Net.WebUtility]::HtmlEncode($HelpText)
         ReadOnly = $ReadOnly.IsPresent
         NoLabels = $NoLabels.IsPresent
         CssClasses = ($CssClass -join ' ')
         CssStyles = (ConvertTo-PodeWebStyles -Style $CssStyle)
+        Placeholders = @{
+            Date = (Protect-PodeWebValue -Value $DisplayDate -Default 'Date' -Encode)
+            Time = (Protect-PodeWebValue -Value $DisplayTime -Default 'Time' -Encode)
+        }
         Type = @($Type)
         Required = $Required.IsPresent
     }
@@ -1363,6 +1380,14 @@ function New-PodeWebMinMax
         [hashtable]
         $CssStyle,
 
+        [Parameter()]
+        [string]
+        $DisplayMin,
+
+        [Parameter()]
+        [string]
+        $DisplayMax,
+
         [Parameter()]
         [ValidateSet('Min', 'Max')]
         [ValidateNotNullOrEmpty()]
@@ -1386,13 +1411,13 @@ function New-PodeWebMinMax
         ObjectType = 'MinMax'
         Parent = $ElementData
         Name = $Name
-        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name)
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
         Values = @{
             Min = $MinValue
             Max = $MaxValue
         }
-        HelpText = $HelpText
+        HelpText = [System.Net.WebUtility]::HtmlEncode($HelpText)
         ReadOnly = $ReadOnly.IsPresent
         NoLabels = $NoLabels.IsPresent
         CssClasses = ($CssClass -join ' ')
@@ -1407,6 +1432,10 @@ function New-PodeWebMinMax
             Text = $AppendText
             Icon = $AppendIcon
         }
+        Placeholders = @{
+            Min = (Protect-PodeWebValue -Value $DisplayMin -Default 'Minimum' -Encode)
+            Max = (Protect-PodeWebValue -Value $DisplayMax -Default 'Maximum' -Encode)
+        }
         Type = @($Type)
         Required = $Required.IsPresent
     }
@@ -1438,6 +1467,10 @@ function New-PodeWebButton
         [string]
         $Name,
 
+        [Parameter()]
+        [string]
+        $DisplayName,
+
         [Parameter()]
         [string]
         $Id,
@@ -1503,6 +1536,7 @@ function New-PodeWebButton
         ObjectType = 'Button'
         Parent = $ElementData
         Name = $Name
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
         DataValue = $DataValue
         Icon = $Icon
@@ -1594,7 +1628,7 @@ function New-PodeWebAlert
         ObjectType = 'Alert'
         Parent = $ElementData
         ID = $Id
-        Type = $Type
+        Type = [System.Net.WebUtility]::HtmlEncode($Type)
         ClassType = $classType
         IconType = $iconType
         Value = [System.Net.WebUtility]::HtmlEncode($Value)
@@ -1793,8 +1827,8 @@ function New-PodeWebComment
         Parent = $ElementData
         ID = $Id
         Icon = (Add-PodeWebAppPath -Url $Icon)
-        Username = $Username
-        Message = $Message
+        Username = [System.Net.WebUtility]::HtmlEncode($Username)
+        Message = [System.Net.WebUtility]::HtmlEncode($Message)
         TimeStamp = $TimeStamp
         CssClasses = ($CssClass -join ' ')
         CssStyles = (ConvertTo-PodeWebStyles -Style $CssStyle)
@@ -2357,6 +2391,10 @@ function Add-PodeWebTableButton
         [string]
         $Name,
 
+        [Parameter()]
+        [string]
+        $DisplayName,
+
         [Parameter()]
         [string]
         $Icon,
@@ -2411,6 +2449,7 @@ function Add-PodeWebTableButton
 
     $Table.Buttons += @{
         Name = $Name
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         Icon = $Icon
         IsDynamic = ($null -ne $ScriptBlock)
         WithText = $WithText.IsPresent
@@ -2744,6 +2783,10 @@ function New-PodeWebTile
         [string]
         $Name,
 
+        [Parameter()]
+        [string]
+        $DisplayName,
+
         [Parameter()]
         [string]
         $Id,
@@ -2822,6 +2865,7 @@ function New-PodeWebTile
         ObjectType = 'Tile'
         Parent = $ElementData
         Name = $Name
+        DisplayName = (Protect-PodeWebValue -Value $DisplayName -Default $Name -Encode)
         ID = $Id
         Click = ($null -ne $ClickScriptBlock)
         IsDynamic = ($null -ne $ScriptBlock)
@@ -3081,7 +3125,7 @@ function New-PodeWebAudio
         Width = (ConvertTo-PodeWebSize -Value $Width -Default 20 -Type '%')
         Sources = $Source
         Tracks = $Track
-        NotSupportedText = (Protect-PodeWebValue -Value $NotSupportedText -Default 'Your browser does not support the audio element')
+        NotSupportedText = [System.Net.WebUtility]::HtmlEncode((Protect-PodeWebValue -Value $NotSupportedText -Default 'Your browser does not support the audio element'))
         Muted = $Muted.IsPresent
         AutoPlay = $AutoPlay.IsPresent
         AutoBuffer = $AutoBuffer.IsPresent
@@ -3208,7 +3252,7 @@ function New-PodeWebVideo
         Sources = $Source
         Tracks = $Track
         Thumbnail = $Thumbnail
-        NotSupportedText = (Protect-PodeWebValue -Value $NotSupportedText -Default 'Your browser does not support the video element')
+        NotSupportedText = [System.Net.WebUtility]::HtmlEncode((Protect-PodeWebValue -Value $NotSupportedText -Default 'Your browser does not support the video element'))
         Muted = $Muted.IsPresent
         AutoPlay = $AutoPlay.IsPresent
         AutoBuffer = $AutoBuffer.IsPresent