Computers, Programming, Technology, Music, Literature

Html Encoding and [ MvcHtmlString.Create, Html.Raw, and @ ]

leave a comment »

There is also an answer at stackoverflow that is on the similar lines –


What returns an encoded output by default, try it out yourself with the sample code below.


Code: Paste it in any .cshtml file.

    string xssScript = "<script type='text/javascript'>alert('XssScript');</script>";
    string htmlEncodedXssScript = HttpUtility.HtmlEncode(xssScript);
    string doubleHtmlEncocedXssScript = HttpUtility.HtmlEncode(htmlEncodedXssScript);

<li>@MvcHtmlString.Create(xssScript) </li>
<li>@MvcHtmlString.Create(htmlEncodedXssScript) </li>
<li>@MvcHtmlString.Create(doubleHtmlEncocedXssScript) </li>

<li>@Html.Raw(xssScript) </li>
<li>@Html.Raw(htmlEncodedXssScript) </li>
<li>@Html.Raw(doubleHtmlEncocedXssScript) </li>

<li>@xssScript </li>
<li>@htmlEncodedXssScript </li>
<li>@doubleHtmlEncocedXssScript </li>


Sample Output:



Questions to ponder –



Written by gmaran23

January 10, 2013 at 12:02 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: