Am I using Html.Raw () safe?
I have an e-commerce gift shop where users can fill out a gift card for their recipient.
To fill a card, I have users entering text in a multi-line text box.
When I show the gift card on the last page of the review, I have to spit out the information with Html.Raw for the Newlines to display correctly. I'm doing it:
@(Model.GiftCard.Text != null ? Html.Raw(Model.GiftCard.Text.Replace(char.ConvertFromUtf32(13),"<br />")) : Html.Raw(""))
I am afraid that I am entering dangerous territory using Html.Raw, by the values entered by the user. However, when I go back to the gift card input page, the page breaks when I try to do something like "This is my gift card! (Scripttag) alert ('test'); (/ scripttag)" ... this is how I feel that .net will catch any malicious entries at this point.
Can you do this? It looks like since the gift card login page works with anti-malware checks, I should be fine using the HtmlRaw later to render the html newline that I insert into myself ...
(I replaced the actual script tag with this (script-tag) above to make it appear on stackoverflow)
source to share