Is there a risk in using @Html.Raw? It seems to me there shouldn't be. If there is a risk then wouldn't that risk already exist regardless of using @Html.Raw in that modern browsers such as Chrome will allow an edit injection of <script>malicious()</script> or even to change a form's post action to something else.
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
@Html.Raw will allow executing any script that is on the value to display. If you want to prevent that you need to use @Html.AttributeEncode
回答2:
Correct, the risk is in how it is used. There's no risk inherent in Html.Raw. It's a tool, nothing more.
回答3:
If you are displaying user entered information it is better to use @Html.Encode().
In another words, if you are displaying non-user eneterd data you are safe to go with @Html.Raw()
