Is there a risk in using @Html.Raw?

2020-04-05 09:10发布

站内问答 / 后端开发
943 3 4

Is there a risk in using @Html.Raw? It seems to me there shouldn't be. If there is a risk then wouldn't that risk already exist regardless of using @Html.Raw in that modern browsers such as Chrome will allow an edit injection of <script>malicious()</script> or even to change a form's post action to something else.

3条回答
Bombasti
2楼-- · 2020-04-05 09:19

@Html.Raw will allow executing any script that is on the value to display. If you want to prevent that you need to use @Html.AttributeEncode

查看更多
0人赞 添加讨论(0) 举报
Lonely孤独者°
3楼-- · 2020-04-05 09:35

Correct, the risk is in how it is used. There's no risk inherent in Html.Raw. It's a tool, nothing more.

查看更多
0人赞 添加讨论(0) 举报
淡お忘
4楼-- · 2020-04-05 09:39

If you are displaying user entered information it is better to use @Html.Encode().

In another words, if you are displaying non-user eneterd data you are safe to go with @Html.Raw()

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)