Fix encoding used in JS generated by prerenderer (#13865)

src/Middleware/SpaServices/src/Prerendering/RenderToStringResult.cs

@@ -5,6 +5,7 @@ using System;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using System.Text;
+using System.Text.Encodings.Web;
 
 namespace Microsoft.AspNetCore.SpaServices.Prerendering
 {
@@ -54,9 +55,13 @@ namespace Microsoft.AspNetCore.SpaServices.Prerendering
 
             foreach (var property in Globals.Properties())
             {
-                stringBuilder.AppendFormat("window.{0} = {1};",
-                    property.Name,
-                    property.Value.ToString(Formatting.None));
+                var propertyNameJavaScriptString = JavaScriptEncoder.Default.Encode(property.Name);
+                var valueJson = property.Value.ToString(Formatting.None);
+                var valueJsonJavaScriptString = JavaScriptEncoder.Default.Encode(valueJson);
+
+                stringBuilder.AppendFormat("window[\"{0}\"] = JSON.parse(\"{1}\");",
+                    propertyNameJavaScriptString,
+                    valueJsonJavaScriptString);
             }
 
             return stringBuilder.ToString();

src/Middleware/SpaServices/test/Microsoft.AspNetCore.SpaServices.Tests.csproj

+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp3.0</TargetFrameworks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore.SpaServices" />
+  </ItemGroup>
+
+</Project>

src/Middleware/SpaServices/test/RenderToStringResultTests.cs

+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Collections.Generic;
+using Microsoft.AspNetCore.SpaServices.Prerendering;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.SpaServices.Tests
+{
+    public class RenderToStringResultTest
+    {
+        [Fact]
+        public void HandlesNullGlobals()
+        {
+            // Arrange
+            var renderToStringResult = new RenderToStringResult();
+            renderToStringResult.Globals = null;
+
+            // Act
+            var actualScript = renderToStringResult.CreateGlobalsAssignmentScript();
+
+            // Assert
+            Assert.Equal(string.Empty, actualScript);
+        }
+
+        [Fact]
+        public void HandlesGlobalsWithMultipleProperties()
+        {
+            // Arrange
+            var renderToStringResult = new RenderToStringResult();
+            renderToStringResult.Globals = ToJObject(new
+            {
+                FirstProperty = "first value",
+                SecondProperty = new[] { "Array entry 0", "Array entry 1" }
+            });
+
+            // Act
+            var actualScript = renderToStringResult.CreateGlobalsAssignmentScript();
+
+            // Assert
+            var expectedScript = @"window[""FirstProperty""] = JSON.parse(""\u0022first value\u0022"");" +
+                @"window[""SecondProperty""] = JSON.parse(""[\u0022Array entry 0\u0022,\u0022Array entry 1\u0022]"");";
+            Assert.Equal(expectedScript, actualScript);
+        }
+
+        [Fact]
+        public void HandlesGlobalsWithCorrectStringEncoding()
+        {
+            // Arrange
+            var renderToStringResult = new RenderToStringResult();
+            renderToStringResult.Globals = ToJObject(new Dictionary<string, object>
+            {
+                { "Va<l'u\"e", "</tag>\"'}\u260E" }
+            });
+
+            // Act
+            var actualScript = renderToStringResult.CreateGlobalsAssignmentScript();
+
+            // Assert
+            var expectedScript = @"window[""Va\u003Cl\u0027u\u0022e""] = JSON.parse(""\u0022\u003C/tag\u003E\\\u0022\u0027}\u260E\u0022"");";
+            Assert.Equal(expectedScript, actualScript);
+        }
+
+        private static JObject ToJObject(object value)
+        {
+            return JsonConvert.DeserializeObject<JObject>(JsonConvert.SerializeObject(value));
+        }
+    }
+}