Skip to content

Assign HtmlEncode result back to -Title in ConvertTo-Html#27103

Open
cuiweixie wants to merge 1 commit intoPowerShell:masterfrom
cuiweixie:fix-ConvertTo-Html-Title-HtmlEncode
Open

Assign HtmlEncode result back to -Title in ConvertTo-Html#27103
cuiweixie wants to merge 1 commit intoPowerShell:masterfrom
cuiweixie:fix-ConvertTo-Html-Title-HtmlEncode

Conversation

@cuiweixie
Copy link
Copy Markdown
Contributor

@cuiweixie cuiweixie commented Mar 27, 2026

Summary

Ensures -Title text is HTML-encoded in the generated document so characters such as <, >, &, and quotes do not break the <title> element or inject unintended markup.

Changes

  • Assign WebUtility.HtmlEncode(_title) back to _title in BeginProcessing.
  • Add a Pester regression test that compares the emitted <title> content to [System.Net.WebUtility]::HtmlEncode for the same input.

Testing

  • Invoke-Pester on test/powershell/Modules/Microsoft.PowerShell.Utility/ConvertTo-Html.Tests.ps1 (new It block).

@cuiweixie
ConvertTo-Html: assign HtmlEncode result to -Title
93cd18f 
BeginProcessing called WebUtility.HtmlEncode(_title) but discarded the return value, so HTML special characters were not escaped in the document title element.

Add a Pester regression test that asserts the emitted <title> matches WebUtility.HtmlEncode output.
Copilot AI review requested due to automatic review settings March 27, 2026 17:53
@cuiweixie cuiweixie requested a review from a team as a code owner March 27, 2026 17:53
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes ConvertTo-Html -Title output so the generated <title> element is HTML-encoded, preventing special characters from breaking markup or injecting unintended content.

Changes:

  • Assign the WebUtility.HtmlEncode(_title) result back to _title during BeginProcessing.
  • Add a Pester regression test validating <title> contains the encoded form of the input title.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/Microsoft.PowerShell.Commands.Utility/commands/utility/ConvertTo-Html.cs Ensures _title is actually HTML-encoded before being emitted into the default <title> tag.
test/powershell/Modules/Microsoft.PowerShell.Utility/ConvertTo-Html.Tests.ps1 Adds regression coverage verifying encoded <title> output for special characters.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Review - Needed The PR is being reviewed label Apr 4, 2026
@microsoft-github-policy-service
Copy link
Copy Markdown
Contributor

microsoft-github-policy-service bot commented Apr 4, 2026

This pull request has been automatically marked as Review Needed because it has been there has not been any activity for 7 days.
Maintainer, please provide feedback and/or mark it as Waiting on Author

@iSazonov iSazonov added the CL-General Indicates that a PR should be marked as a general cmdlet change in the Change Log label Apr 4, 2026
@iSazonov iSazonov changed the title ConvertTo-Html: assign HtmlEncode result to -Title Assign HtmlEncode result back to -Title in ConvertTo-Html Apr 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@iSazonov iSazonov iSazonov approved these changes

+1 more reviewer

@flaan4me flaan4me flaan4me approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

CL-General Indicates that a PR should be marked as a general cmdlet change in the Change Log Review - Needed The PR is being reviewed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cuiweixie @flaan4me @iSazonov