如何使用 Razor 将未编码的 Json 写入我的视图?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4072762/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I write unencoded Json to my View using Razor?
提问by Samuel Hyman
I'm trying to write an object as JSON to my Asp.Net MVC View using Razor, like so:
我正在尝试使用 Razor 将对象作为 JSON 写入我的 Asp.Net MVC 视图,如下所示:
<script type="text/javascript">
var potentialAttendees = @Json.Encode(Model.PotentialAttendees);
</script>
The problem is that in the output the JSON is encoded, and my browser doesn't like it. For example:
问题是在输出中对 JSON 进行了编码,而我的浏览器不喜欢它。例如:
<script type="text/javascript">
var potentialAttendees = [{"Name":"Samuel Hyman"},];
</script>
How do I get Razor to emit unencoded JSON?
如何让 Razor 发出未编码的 JSON?
回答by Lorenzo
You do:
你做:
@Html.Raw(Json.Encode(Model.PotentialAttendees))
In releases earlier than Beta 2 you did it like:
在 Beta 2 之前的版本中,您是这样做的:
@(new HtmlString(Json.Encode(Model.PotentialAttendees)))
回答by Jeremy Cook
Newtonsoft's JsonConvert.SerializeObjectdoes not behave the same as Json.Encodeand doing what @david-k-egghead suggests opens you up to XSS attacks.
Newtonsoft 的JsonConvert.SerializeObject行为与Json.Encode@david-k-egghead 建议的做法不同,这会让您面临XSS 攻击。
Drop this code into a Razor view to see that using Json.Encodeis safe, and that Newtonsoft can be made safe in the JavaScript context but is not without some extra work.
将此代码放入 Razor 视图以查看使用Json.Encode是安全的,并且 Newtonsoft 可以在 JavaScript 上下文中变得安全,但并非没有一些额外的工作。
<script>
var jsonEncodePotentialAttendees = @Html.Raw(Json.Encode(
new[] { new { Name = "Samuel Hyman</script><script>alert('jsonEncodePotentialAttendees failed XSS test')</script>" } }
));
alert('jsonEncodePotentialAttendees passed XSS test: ' + jsonEncodePotentialAttendees[0].Name);
</script>
<script>
var safeNewtonsoftPotentialAttendees = JSON.parse(@Html.Raw(HttpUtility.JavaScriptStringEncode(JsonConvert.SerializeObject(
new[] { new { Name = "Samuel Hyman</script><script>alert('safeNewtonsoftPotentialAttendees failed XSS test')</script>" } }), addDoubleQuotes: true)));
alert('safeNewtonsoftPotentialAttendees passed XSS test: ' + safeNewtonsoftPotentialAttendees[0].Name);
</script>
<script>
var unsafeNewtonsoftPotentialAttendees = @Html.Raw(JsonConvert.SerializeObject(
new[] { new { Name = "Samuel Hyman</script><script>alert('unsafeNewtonsoftPotentialAttendees failed XSS test')</script>" } }));
alert('unsafeNewtonsoftPotentialAttendees passed XSS test: ' + unsafeNewtonsoftPotentialAttendees[0].Name);
</script>
See also:
也可以看看:
回答by Ravi Ram
Using Newtonsoft
使用牛顿软件
<script type="text/jscript">
var potentialAttendees = @(Html.Raw(Newtonsoft.Json.JsonConvert.SerializeObject(Model.PotentialAttendees)))
</script>
