Computers, Programming, Technology, Music, Literature

Html Encoding and [ MvcHtmlString.Create, Html.Raw, and @ ]

leave a comment »

There is also an answer at stackoverflow that is on the similar lines – http://stackoverflow.com/questions/22491437/how-can-i-enter-quotes-to-white-list-on-htmlencode/22536280#22536280

 

What returns an encoded output by default, try it out yourself with the sample code below.

 

Code: Paste it in any .cshtml file.


@{
    string xssScript = "<script type='text/javascript'>alert('XssScript');</script>";
    string htmlEncodedXssScript = HttpUtility.HtmlEncode(xssScript);
    string doubleHtmlEncocedXssScript = HttpUtility.HtmlEncode(htmlEncodedXssScript);
}

<p>MvcHtmlString.Create</p>
<ol>
<li>@MvcHtmlString.Create(xssScript) </li>
<li>@MvcHtmlString.Create(htmlEncodedXssScript) </li>
<li>@MvcHtmlString.Create(doubleHtmlEncocedXssScript) </li>
</ol>

<p>Html.Raw</p>
<ol>
<li>@Html.Raw(xssScript) </li>
<li>@Html.Raw(htmlEncodedXssScript) </li>
<li>@Html.Raw(doubleHtmlEncocedXssScript) </li>
</ol>

<p>@@</p>
<ol>
<li>@xssScript </li>
<li>@htmlEncodedXssScript </li>
<li>@doubleHtmlEncocedXssScript </li>
</ol>

 

Sample Output:

image

 

Questions to ponder –

1. http://stackoverflow.com/questions/2293357/what-is-an-mvchtmlstring-and-when-should-i-use-it

2. http://stackoverflow.com/questions/10331019/difference-between-mvchtmlstring-create-and-html-raw

Advertisements

Written by gmaran23

January 10, 2013 at 12:02 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: