I have been scratching my head about this for a few days, and I am not sure if it is an issue with my environment or the code itself basing this on being to ASP.NET MVC (although I have 5 years experience in C#). I am using a recent clean install of Win7x64 and VS 2008 with all the patches.
I have raw HTML stored in a database table that is selectively loaded by the controller based on a few rules which I do not have control over. Unfortunately when attempt to stuff the value into a view data in the control like such:
ViewData["HTMLData"] = DAO.HTMLDataGet();
When I see the output, it is escaped/HTML Encoded. I tried using the following all of which did not seem to resolve this issue:
<%: HttpUtility.HtmlDecode(ViewData["HTMLData"].ToString())%>
And...
<%: Server.HtmlDecode(ViewData["HTMLData"].ToString())%>
And...
<%: Html.Raw(ViewData["HTMLData"].ToString())%>
...it grabs the raw HTML from the database table just fine, however it keeps forcing that blasted encoding regardless of what I try. From what I read on the MSDN, there was a foot note about problems resulting from HTML not being decoded properly that contained spaces (which mine does). Since I doubt I am the only one who has faced this I am turning to you folks for some ideas.
I am about to Kludge my way though it with a regex in the view to do page cleanup, but thought it would be better to get some advice from some other folks first before I brute force it.Thanks in advance.
<%=
was the only one that was available, when<%:
is the correct behaviour (and was added much later), and should be used almost all of the time. In razor, they got it right:@foo
is the same as<%:foo%>
, i.e. encoded. If you think that<%=
is the preferable behaviour, then: you haven't done nearly enough html programming (not specifically ASP.NET), and aren't thinking "xss" enough. Writing pre-formed html (from a view) is the exception, not the common case. – Cracksman