Because encoded characters are HTML, and the Raw version of that string is the encoded one. Html.Raw renders what it is given without doing any html encoding, so with ViewBag.div = “<div> Hello </div>”;: @Html.Raw(ViewBag.div); Renders <div> Hello </div> However, when you have encoded characters in there, such as ViewBag.Something = “>”; the raw version … Read more
Try this: <div class=”content”> @Html.Raw(HttpUtility.HtmlDecode(Model.Content)) </div>
Problem is that when this gets posted to server, it will not work, doesn’t matter what you try. This is the ASP.NET XSS protection, which can be disabled like so: <%@ Page … ValidateRequest=”false” %> Trouble is, you’ll have to be very careful validating all the postback yourself. Easier way is to escape all the … Read more
I don’t have an answer specifically to your question, but I would like to point out that the white list vs black list approach not just “nice”. It’s important. Very important. When it comes to security, every little thing is important. Remember that with cross-site scripting and cross-site request forgery , even if your site … Read more
System.Net.WebUtility class is available starting from .NET 4.0 (You donʼt need System.Web.dll dependency).
By encode, do you mean: Convert all applicable characters to HTML entities? htmlspecialchars or htmlentities You can also use strip_tags if you want to remove all HTML tags : strip_tags Note: this will NOT stop all XSS attacks
If you use htmlentities() to encode, you can use html_entity_decode() to reverse the process: html_entity_decode() Convert all HTML entities to their applicable characters. html_entity_decode() is the opposite of htmlentities() in that it converts all HTML entities in the string to their applicable characters. e.g. $myCaption = ‘áéí’; //encode $myCaptionEncoded = htmlentities($myCaption, ENT_QUOTES); //reverse (decode) $myCaptionDecoded … Read more
The two options are almost exactly the same. Here are your two choices: <html>This is <b>bold</b></html> <html><![CDATA[This is <b>bold</b>]]></html> In both cases, you have to check your string for special characters to be escaped. Lots of people pretend that CDATA strings don’t need any escaping, but as you point out, you have to make sure … Read more
The + character has a special meaning in a URL => it means whitespace – . If you want to use the literal + sign, you need to URL encode it to %2b: body=Hi+there%2bHello+there Here’s an example of how you could properly generate URLs in .NET: var uriBuilder = new UriBuilder(“https://mail.google.com/mail”); var values = HttpUtility.ParseQueryString(string.Empty); … Read more
Either decode them using html_entity_decode or remove them using preg_replace: $Content = preg_replace(“/&#?[a-z0-9]+;/i”,””,$Content); (From here) EDIT: Alternative according to Jacco’s comment might be nice to replace the ‘+’ with {2,8} or something. This will limit the chance of replacing entire sentences when an unencoded ‘&’ is present. $Content = preg_replace(“/&#?[a-z0-9]{2,8};/i”,””,$Content);