在 Razor 视图中发出未编码的字符串
正如 ScottGu 在他的博客帖子中所说的那样 «by使用@块发出的默认内容会自动进行HTML编码,以更好地防止XSS攻击场景»。 我的问题是:如何输出非 HTML 编码的字符串?
为了简单起见,请坚持这个简单的情况:
@{
var html = "<a href='#'>Click me</a>"
// I want to emit the previous string as pure HTML code...
}
As ScottGu says in his blog post «by default content emitted using a @ block is automatically HTML encoded to better protect against XSS attack scenarios».
My question is: how can you output a non-HTML-encoded string?
For the sake of simplicity, pls stick to this simple case:
@{
var html = "<a href='#'>Click me</a>"
// I want to emit the previous string as pure HTML code...
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
这是我最喜欢的方法:
来源是 Phil Haack 的 Razor 语法参考:http://haacked.com/archive/2011/01/06/razor-syntax-quick-reference.aspx
This is my favorite approach:
Source was Phil Haack's Razor syntax reference: http://haacked.com/archive/2011/01/06/razor-syntax-quick-reference.aspx
您可以创建一个不会进行 HTML 编码的 MvcHtmlString 的新实例。
希望 Razor 的未来能有一种更简单的方法。
如果您没有使用 MVC,您可以尝试以下操作:
You can create a new instance of MvcHtmlString which won't get HTML encoded.
Hopefully there will be an easier way in the future of Razor.
If you're not using MVC, you can try this:
new HtmlString 绝对是答案。
我们研究了其他一些 razor 语法更改,但最终没有一个真正比新的 HtmlString 更短。
然而,我们可以将其包装到一个助手中。可能...
或者
new HtmlString is definitely the answer.
We looked into some other razor syntax changes, but ultimately none of them ended up really being any shorter than new HtmlString.
We may, however, wrap that up into a helper. Possibly...
or
我在 Mono 下使用 ASP.NET MVC 和 Razor。
由于某些原因,我无法从 System.Web.Mvc 的 System.Web.WebPages 获取 HtmlHelper。
但在将模型的属性声明为
RazorEngine.Text.RawString后,我设法输出未编码的字符串。现在它按预期输出。示例
输出:
I'm using ASP.NET MVC and Razor under Mono.
I couldn't get HtmlHelper from System.Web.WebPages of System.Web.Mvc for some reasons.
But I managed to output unencoded string after declaring model's property as
RazorEngine.Text.RawString. Now it outputs as expected.Example
Output:
在将我们的项目转换到新的 Razor 视图引擎时,我也遇到了这个问题。我采取的方法略有不同,因为我们必须从 C# 生成 JSON 数据,并希望在页面加载时输出它。
我最终所做的是实现一个 RawView,它与 cshtml 文件内的 View 并行。本质上,要获取原始字符串,
这需要对项目布局进行一些更改,所以我刚刚写了一篇关于它的博客文章 此处。简而言之,这需要 MVC 的 DynamicViewDataDictionary 的重复实现和包含 RawView 的新 WebViewPage。我还继续在 RawView 上实现了索引运算符,以允许
在有人需要使用键列表循环数据的情况下。
阅读护士的评论,如果我将其命名为 Literal 而不是 RawView 可能会更好。
I ran into this problem as well when transitioning our project to the new Razor view engine. The approach I took was slightly different because we had to generate JSON data from C# and wanted to output it upon page load.
What I eventually did was to implement a RawView that was a parallel of View inside of the cshtml files. Essentially, to get a raw string,
This requires a few changes to the project layout, so I just wrote up a blog post about it here. In short, this required a duplicate implementation of MVC's DynamicViewDataDictionary and a new WebViewPage that contains the RawView. I also went ahead and implemented the index operator on the RawView to allow for
In the off-chance that someone needs to loop over the data with a list of keys.
Reading anurse's comment, it probably would have been better off if I had named this as a Literal instead of RawView.