ASP.NET MVC Passing Raw HTML from Controller to View
Asked Answered
S

3

7

I have been scratching my head about this for a few days, and I am not sure if it is an issue with my environment or the code itself basing this on being to ASP.NET MVC (although I have 5 years experience in C#). I am using a recent clean install of Win7x64 and VS 2008 with all the patches.

I have raw HTML stored in a database table that is selectively loaded by the controller based on a few rules which I do not have control over. Unfortunately when attempt to stuff the value into a view data in the control like such:

ViewData["HTMLData"] = DAO.HTMLDataGet();

When I see the output, it is escaped/HTML Encoded. I tried using the following all of which did not seem to resolve this issue:

<%: HttpUtility.HtmlDecode(ViewData["HTMLData"].ToString())%>

And...

<%: Server.HtmlDecode(ViewData["HTMLData"].ToString())%>

And...

<%: Html.Raw(ViewData["HTMLData"].ToString())%>

...it grabs the raw HTML from the database table just fine, however it keeps forcing that blasted encoding regardless of what I try. From what I read on the MSDN, there was a foot note about problems resulting from HTML not being decoded properly that contained spaces (which mine does). Since I doubt I am the only one who has faced this I am turning to you folks for some ideas.

I am about to Kludge my way though it with a regex in the view to do page cleanup, but thought it would be better to get some advice from some other folks first before I brute force it.Thanks in advance.

Son answered 20/8, 2012 at 7:13 Comment(3)
is the content is all html which is to be returned to the view ?Carrara
I believe I have solved the mystery.. I was using <%: %> instead of <%= %> -- the latter resolves the issue. For Microsoft trying to make things easy, they have made a hell of a lot of dumb decisions with ASP.Net such as this and other useless pseudo markupSon
@user1611050 actually, you are right: there was a dumb decision made, which was that originally <%= was the only one that was available, when <%: is the correct behaviour (and was added much later), and should be used almost all of the time. In razor, they got it right: @foo is the same as <%:foo%>, i.e. encoded. If you think that <%= is the preferable behaviour, then: you haven't done nearly enough html programming (not specifically ASP.NET), and aren't thinking "xss" enough. Writing pre-formed html (from a view) is the exception, not the common case.Cracksman
C
17

<%: means "encode if necessary". If you don't want that, then the lazy approach would be to use <%=, but frankly I suggest you instead wrap it in IHtmlString, for example:

string yourEncodedHtml = ...
var html = new MvcHtmlString(yourEncodedHtml);

Now, if you store that and show it, it should take the html "as is".

Cracksman answered 20/8, 2012 at 7:20 Comment(2)
Thanks for explaining why that solution works.. just frankly dumb IMHO they set it up that way.Son
@user1611050 er, why? Virtually any time you output something, the correct thing is to encode it. Now think of what the impact is if you get it wrong: double-encoding is far preferable (and far more obvious) than an xss exploit.Cracksman
O
8

Try using: <%= %>

<%= Html.Raw(ViewData["HTMLData"].ToString())%>

<%: %> is Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC)

For More Details

How to HTML Encode Content Today

ASP.NET applications (especially those using ASP.NET MVC) often rely on using <%= %> code-nugget expressions to render output. Developers today often use the Server.HtmlEncode() or HttpUtility.Encode() helper methods within these expressions to HTML encode the output before it is rendered.

While this works fine, there are two downsides of it:

It is a little verbose Developers often forget to call the Server.HtmlEncode method – and there is no easy way to verify its usage across an app

New <%: %> Code Nugget Syntax

With ASP.NET 4 we are introducing a new code expression syntax (<%: %>) that renders output like <%= %> blocks do – but which also automatically HTML encodes it before doing so. This eliminates the need to explicitly HTML encode content.

We chose the <%: %> syntax so that it would be easy to quickly replace existing instances of <%= %> code blocks. It also enables you to easily search your code-base for <%= %> elements to find and verify any cases where you are not using HTML encoding within your application to ensure that you have the correct behavior.

Oujda answered 20/8, 2012 at 7:25 Comment(1)
If you call HtmlRaw, then it doesn't matter whether you use <%: vs <%=, and thus the preference would still be for <%:. If the first line was <%:Html.Raw(...)%> this would be the perfect answer to the question.Cracksman
S
0

You almost had it with the things you tried. Gave me the idea to do this, which works:

Html.Raw(HttpUtility.HtmlDecode(ViewData["HTMLData"].ToString()))
Satiable answered 4/2, 2022 at 19:10 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.