Am I using Html.Raw () safe?

I have an e-commerce gift shop where users can fill out a gift card for their recipient.

To fill a card, I have users entering text in a multi-line text box.

When I show the gift card on the last page of the review, I have to spit out the information with Html.Raw for the Newlines to display correctly. I'm doing it:

@(Model.GiftCard.Text != null ? Html.Raw(Model.GiftCard.Text.Replace(char.ConvertFromUtf32(13),"<br />")) : Html.Raw(""))


I am afraid that I am entering dangerous territory using Html.Raw, by the values ​​entered by the user. However, when I go back to the gift card input page, the page breaks when I try to do something like "This is my gift card! (Scripttag) alert ('test'); (/ scripttag)" ... this is how I feel that .net will catch any malicious entries at this point.

Can you do this? It looks like since the gift card login page works with anti-malware checks, I should be fine using the HtmlRaw later to render the html newline that I insert into myself ...

(I replaced the actual script tag with this (script-tag) above to make it appear on stackoverflow)


source to share

2 answers

Use a regex in your view model to make sure people are only typing A-Za-z0-9 and whatever you think should be using, for example: =] stuff type. Screening this frontend is better than the second by guessing it on the way out.



How about using <& pre & gt; </previous> instead? Will this allow rendering back to HTML without having to use Html.Raw?



All Articles