[dev-v5] Add MarkupStringSanitized to enhances security and clarifies usage. (#4424)

* Make Title in FluentMessageBar plain text only

The Title property now accepts only plain strings and no HTML markup.
For custom or formatted titles, use the ChildContent property.
Updated code and docs to clarify usage and provide examples.

* Sanitize inline CSS to prevent XSS in custom styles
Introduce MarkupSanitizedOptions and MarkupStringSanitized to sanitize inline CSS styles

* Update MarkupStringSanitized

* Update MarkupStringSanitized

* Refactoring MarkupStringSanitized

* Refactoring

* Refactor

* Add Unit Tests

* Update components to use MarkupStringSanitized

* Update Dialog and Add unit tests

* Refactor

* Fix errors

* Update doc

* Refactor sanitizers to use [GeneratedRegex] partial methods

* Add Unit Tests

* Update doc

Author: dvoituron

src/Core/Components/Base/FluentComponentBase.cs

@@ -24,6 +24,7 @@ public abstract class FluentComponentBase : ComponentBase, IAsyncDisposable, IFl
     protected FluentComponentBase(LibraryConfiguration configuration)
     {
         configuration?.DefaultValues.ApplyDefaults(this);
+        LibraryConfiguration = configuration;
     }
 
     [Inject]
@@ -37,6 +38,11 @@ protected FluentComponentBase(LibraryConfiguration configuration)
     [Inject]
     protected IFluentLocalizer Localizer { get; set; } = FluentLocalizerInternal.Default;
 
+    /// <summary>
+    /// Gets the configuration settings for the library instance.
+    /// </summary>
+    protected internal LibraryConfiguration? LibraryConfiguration { get; }
+
     /// <summary>
     /// Gets the JavaScript module imported with the <see cref="FluentJSModule.ImportJavaScriptModuleAsync"/> method.
     /// You need to call this method (in the `OnAfterRenderAsync` method) before using the module.

src/Core/Components/DateTime/FluentCalendar.razor.cs

@@ -22,9 +22,9 @@ public partial class FluentCalendar<TValue> : FluentCalendarBase<TValue>
 {
     private ElementReference _calendarReference = default!;
     private const string JAVASCRIPT_FILE = FluentJSModule.JAVASCRIPT_ROOT + "DateTime/FluentCalendar.razor.js";
-    
-    internal static string ArrowUp = "<svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M4.2 10.73a.75.75 0 001.1 1.04l5.95-6.25v14.73a.75.75 0 001.5 0V5.52l5.95 6.25a.75.75 0 001.1-1.04l-7.08-7.42a1 1 0 00-1.44 0L4.2 10.73z\"/></svg>";
-    internal static string ArrowDown = "<svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M19.8 13.27a.75.75 0 00-1.1-1.04l-5.95 6.25V3.75a.75.75 0 10-1.5 0v14.73L5.3 12.23a.75.75 0 10-1.1 1.04l7.08 7.42a1 1 0 001.44 0l7.07-7.42z\"/></svg>";
+
+    internal static MarkupStringSanitized ArrowUp = new("<svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M4.2 10.73a.75.75 0 001.1 1.04l5.95-6.25v14.73a.75.75 0 001.5 0V5.52l5.95 6.25a.75.75 0 001.1-1.04l-7.08-7.42a1 1 0 00-1.44 0L4.2 10.73z\"/></svg>", MarkupStringSanitized.Formats.AlreadySanitized);
+    internal static MarkupStringSanitized ArrowDown = new("<svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M19.8 13.27a.75.75 0 00-1.1-1.04l-5.95 6.25V3.75a.75.75 0 10-1.5 0v14.73L5.3 12.23a.75.75 0 10-1.1 1.04l7.08 7.42a1 1 0 001.44 0l7.07-7.42z\"/></svg>", MarkupStringSanitized.Formats.AlreadySanitized);
 
     private CalendarViews _pickerView = CalendarViews.Days;
     private bool _refreshAccessibilityPending;
@@ -167,12 +167,14 @@ public virtual TValue? PickerMonth
     internal bool IsReadOnlyOrDisabled => ReadOnly || Disabled == true;
 
     /// <summary />
-    internal string GetAnimationClass(string existingClass) => CanBeAnimated ? _animationRunning switch
-    {
-        AnimationRunning.Up => $"{existingClass} animation-running-up",
-        AnimationRunning.Down => $"{existingClass} animation-running-down",
-        _ => $"{existingClass} animation-none"
-    } : existingClass;
+    internal string GetAnimationClass(string existingClass) => CanBeAnimated
+        ? _animationRunning switch
+        {
+            AnimationRunning.Up => $"{existingClass} animation-running-up",
+            AnimationRunning.Down => $"{existingClass} animation-running-down",
+            _ => $"{existingClass} animation-none",
+        }
+        : existingClass;
 
     /// <summary>
     /// All days of this current month.

src/Core/Components/Dialog/FluentDialog.razor.cs

@@ -268,14 +268,14 @@ async Task<bool> ShortCutPressedAsync(DialogOptionsFooterAction button, string s
     private bool IsDialog() => !IsDrawer();
 
     /// <summary />
-    private MarkupString? GetDialogStyle()
+    private MarkupStringSanitized? GetDialogStyle()
     {
         if (string.IsNullOrEmpty(StyleValue))
         {
             return null;
         }
 
-        return (MarkupString)$"<style>#{Id}::part(dialog) {{ {StyleValue} }}</style>";
+        return new MarkupStringSanitized($"<style>#{Id}::part(dialog) {{ {StyleValue} }}</style>", LibraryConfiguration);
     }
 
     /// <summary>

src/Core/Components/Dialog/FluentDialogBody.razor

@@ -16,7 +16,7 @@
     }
     else if (!string.IsNullOrEmpty(Instance?.Options.Header.Title))
     {
-        <div slot="@FluentSlot.DialogTitle">@((MarkupString)(Instance.Options.Header.Title))</div>
+        <div slot="@FluentSlot.DialogTitle">@(new MarkupStringSanitized(Instance.Options.Header.Title, MarkupStringSanitized.Formats.Html, LibraryConfiguration))</div>
     }
 
     @* Header Action *@

src/Core/Components/Dialog/MessageBox/DialogService.cs

@@ -2,9 +2,10 @@
 // This file is licensed to you under the MIT License.
 // ------------------------------------------------------------------------
 
-using Microsoft.AspNetCore.Components;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.FluentUI.AspNetCore.Components.Dialog.MessageBox;
 using Microsoft.FluentUI.AspNetCore.Components.Localization;
+using Microsoft.FluentUI.AspNetCore.Components.Utilities;
 
 namespace Microsoft.FluentUI.AspNetCore.Components;
 
@@ -94,7 +95,7 @@ public Task<DialogResult> ShowMessageBoxAsync(MessageBoxOptions options)
             config.Footer.PrimaryAction.ShortCut = options.PrimaryShortCut;
             config.Footer.SecondaryAction.Label = options.SecondaryButton;
             config.Footer.SecondaryAction.ShortCut = options.SecondaryShortCut;
-            config.Parameters.Add(nameof(FluentMessageBox.Message), new MarkupString(options.Message ?? ""));
+            config.Parameters.Add(nameof(FluentMessageBox.Message), new MarkupStringSanitized(options.Message ?? "", MarkupStringSanitized.Formats.Html, _serviceProvider.GetService<LibraryConfiguration>()));
             config.Parameters.Add(nameof(FluentMessageBox.Icon), options.Icon);
             config.Parameters.Add(nameof(FluentMessageBox.IconColor), options.IconColor);
         });

src/Core/Components/Dialog/MessageBox/FluentMessageBox.razor.cs

@@ -3,6 +3,7 @@
 // ------------------------------------------------------------------------
 
 using Microsoft.AspNetCore.Components;
+using Microsoft.FluentUI.AspNetCore.Components.Utilities;
 
 namespace Microsoft.FluentUI.AspNetCore.Components.Dialog.MessageBox;
 
@@ -13,9 +14,10 @@ public partial class FluentMessageBox
 {
     /// <summary>
     /// Gets or sets the content of the message box.
+    /// For security reasons, the content is sanitized using the configured <see cref="LibraryConfiguration.MarkupSanitized"/> before rendering.
     /// </summary>
     [Parameter]
-    public MarkupString? Message { get; set; }
+    public MarkupStringSanitized? Message { get; set; }
 
     /// <summary>
     /// Gets or sets the icon of the message box.

src/Core/Components/Dialog/MessageBox/MessageBoxOptions.cs

@@ -11,6 +11,8 @@ public class MessageBoxOptions
 {
     /// <summary>
     /// Gets or sets the message to display in the dialog.
+    /// The message can contain simple HTML markup for formatting.
+    /// See <see cref="LibraryConfiguration.MarkupSanitized"/> for more information.
     /// </summary>
     public string? Message { get; set; }
 

src/Core/Components/Dialog/Services/DialogOptionsHeader.cs

@@ -12,11 +12,11 @@ public class DialogOptionsHeader
     /// <summary />
     public DialogOptionsHeader()
     {
-        
     }
 
     /// <summary>
     /// Gets or sets the title of the dialog.
+    /// For security reasons, the content is sanitized using the configured <see cref="LibraryConfiguration.MarkupSanitized"/> before rendering.
     /// </summary>
     public string? Title { get; set; }
 }

src/Core/Components/MessageBar/FluentMessageBar.razor

@@ -19,7 +19,9 @@
 
             @if (!string.IsNullOrEmpty(Title))
             {
-                <span class="title">@Title</span>
+                <span class="title">
+                    @(new MarkupStringSanitized(Title, MarkupStringSanitized.Formats.Html, LibraryConfiguration))
+                </span>
             }
         </AddTag>
 

src/Core/Components/MessageBar/FluentMessageBar.razor.cs

@@ -70,7 +70,7 @@ public FluentMessageBar(LibraryConfiguration configuration) : base(configuration
 
     /// <summary>
     /// Gets or sets the most important info to be shown in the message bar.
-    /// You cannot format this string using HTML tags (bold, italic, etc.).
+    /// For security reasons, the content is sanitized using the configured <see cref="LibraryConfiguration.MarkupSanitized"/> before rendering.
     /// If you need to format the content, use the <see cref="ChildContent"/> parameter.
     /// </summary>
     [Parameter]