asp.net-mvc 编写/输出未转义的 HTML 字符串
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4281424/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Writing/outputting HTML strings unescaped
提问by AGS
I've got safe/sanitized HTML saved in a DB table.
我在数据库表中保存了安全/消毒的 HTML。
How can I have this HTML content written out in a Razor view?
如何在 Razor 视图中写出此 HTML 内容?
It always escapes characters like <and ampersands to &.
它总是将像<和&符号这样的字符转义为&.
回答by Lorenzo
Supposing your content is inside a string named mystring...
假设您的内容位于名为mystring...
You can use:
您可以使用:
@Html.Raw(mystring)
Alternatively you can convert your string to HtmlStringor any other type that implements IHtmlStringin model or directly inline and use regular @:
或者,您可以将字符串转换为在模型HtmlString中实现IHtmlString或直接内联并使用常规的任何其他类型@:
@{ var myHtmlString = new HtmlString(mystring);}
@myHtmlString
回答by Tom Chantler
In ASP.NET MVC 3 You should do something like this:
在 ASP.NET MVC 3 你应该做这样的事情:
// Say you have a bit of HTML like this in your controller:
ViewBag.Stuff = "<li>Menu</li>"
// Then you can do this in your view:
@MvcHtmlString.Create(ViewBag.Stuff)
回答by Andrus
You can use
您可以使用
@{ WriteLiteral("html string"); }
回答by Travis J
Sometimes it can be tricky to use raw html. Mostly because of XSS vulnerability. If that is a concern, but you still want to use raw html, you can encode the scary parts.
有时使用原始 html 可能会很棘手。主要是因为 XSS 漏洞。如果这是一个问题,但您仍然想使用原始 html,您可以对可怕的部分进行编码。
@Html.Raw("(<b>" + Html.Encode("<script>console.log('insert')</script>" + "Hello") + "</b>)")
Results in
结果是
(<b><script>console.log('insert')</script>Hello</b>)
回答by Ajay
You can put your string into viewdata in controller like this :
您可以将字符串放入控制器中的 viewdata 中,如下所示:
ViewData["string"] = DBstring;
And then call that viewdata in view like this :
然后像这样在视图中调用该视图数据:
@Html.Raw(ViewData["string"].ToString())
回答by ZeNo
Apart from using @MvcHtmlString.Create(ViewBag.Stuff)as suggested by Dommer, I suggest you to also use AntiXSSlibrary as suggested phill http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx
除了按照 Dommer 的建议@MvcHtmlString.Create(ViewBag.Stuff)使用外,我建议您也按照建议的 phill http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp使用AntiXSS库-net.aspx
It encodes almost all the possible XSS attack string.
它编码了几乎所有可能的 XSS 攻击字符串。
回答by ZlobnyiSerg
Complete example for using template functions in RazorEngine (for email generation, for example):
在 RazorEngine 中使用模板函数的完整示例(例如用于电子邮件生成):
@model SomeModel
@{
Func<PropertyChangeInfo, object> PropInfo =
@<tr class="property">
<td>
@item.PropertyName
</td>
<td class="value">
<small class="old">@item.OldValue</small>
<small class="new">@item.CurrentValue</small>
</td>
</tr>;
}
<body>
@{ WriteLiteral(PropInfo(new PropertyChangeInfo("p1", @Model.Id, 2)).ToString()); }
</body>
