I create a String in a view and want to output it to the screen.
Initially I tried Response.Write but, due to reasons explained elsewhere on this site, the content appeared at the top of the page. I then attempted to output the string using # like so: #myString.
This worked, in that it output the text at the right location but it escaped HTML links that I had put in there. How do I get around this problem?
You can use Html.Raw():
#Html.Raw(MyStringVar)
Instead of string you will want to use:
#{
var myString = new MvcHtmlString("<tags>Text</tags>");
}
Then when you inline render it:
#myString
It'll display the correct value instead of escaped text.
Edit: Alternative
The other option is you can just create the MvcHtmlString inline so it renders appropriately.
#(new MvcHtmlString(myString))
You can use the Html.Raw function for this
For example:
#Html.Raw(Model.YourString)
#model myString
#Html.Raw(Model)
Try #Html.Raw(myString).
I do not recommend doing this. You don't send html output to screen for various reasons. if you want to put the text in certain part of the screen, use html/css styling in the view and send only the output.
You could do it this way:
#Html.Raw(myString)
Related
I have this string below:
<List>\r\n <First>\r\n <Second>BlaBla..</Second>\r\n...
But in View (MVC Asp.Net) presenting in one line only.
What can I do to respect the \r\n to broke in a new line?
Thanks
\r\n will format your string in source, it will be visible when you view HTML source of your page. You need to use HTML <br> tag instead of \r\n, so your browser will format your output accordingly.
Apart from the other answers that suggest using <br/>, you can also use the CSS white-space property which can actually make line breaks when it sees \r\n, or the <pre> tag which has this set up by default. See: http://www.w3schools.com/cssref/pr_text_white-space.asp
Assuming that your view is an HTML page rendered in the browser, understand that HTML does not render line break characters. The source code will, but not the HTML. If you need line breaks, you should use a tag structure that renders them, such as <p> or <br>.
I am using C# ASP.NET MVC, and wish to populate a DIV with html stored in a database. I have tried the following:
//getting a string of HTML from a database
#{
string myHtml = Model.Data.Html;
}
//Using Javascript to insert this into a Div
<script>
$("#myDiv").html("#myHtml");
</script>
The div fills with the html, but it is inserted as raw text and displays all of the html tags. I have tried .append and .html to no avail.
Any help would be appreciated.
Maybe you want to use the #Html.Raw() method?
$('#myDiv').html('#Html.Raw(myHtml)');
Be careful as this could be part of an XSS vulnerability. Don't directly render user input as unencoded HTML. (This is exactly why the ASP.NET MVC Framework HTML-encodes output by default, which is the issue you're seeing.)
Try
$("#myDiv").html('#Html.Raw(Model.Data.Html)')
If you don't have an explicit requirement to use Javascript to do this, simply use Html.Raw to output unencoded HTML inline.
<div id="myDiv">#Html.Raw(myHtml)</div>
I have this problem: From a database, held up a string, which contains HTML mixed with C# code. I wish I could run correctly both codes on my page .aspx.
e.g.
in my .aspx:
<div><%= Model.repo.getCode() %></div>
and the getCode() method give me this:
<div id="secondDiv"><p><%= Model.Person.Name %></p></div>
so I want the final html file look like:
<div><div id="secondDiv"><p>Jhon</p></div></div>
any suggestion?
There may be direct way to bind such value,
But if you could store String.Formatable into database then it would be easy to bind the data needed.
Using String.Format you achieve like,
returned string from Model.repo.getCode() (see curly braces)
"<div id="secondDiv"><p>{0}</p></div>";
And in ASP code,
<div><%= string.format(Model.repo.getCode(),Model.Person.Name) %></div>
Take a look at this project as it helped me with a similar problem: https://github.com/formosatek/dotliquid Basically you can bind whatever objects to a template and that template can call properties of you objects and even use conditional logic and loops.
Is it possible to scrape all the text from a site that was navigated to by WebBrowser control without looking at the source?
David Walker's method is great when one don't need any info from the header nor non main part of the webpage. if one need something outside inner text, there is only two options, one is to parse with "getElement".
the other one is issue commands (Document.ExecCommand) to webbrowser to select all and copy to clipboard:
wb.Document.ExecCommand("SelectAll", false, null);
wb.Document.ExecCommand("Copy", false, null);
then finally string content=clipboard.getText();
Please note the spelling and syntax may not be correct, I'm recalling from my memory
string browserContents = webBrowser.Document.Body.InnerText;
You use the DocumentText property or the WebBrowser control.
This property is what holds the HTML of the site you have navigated to.
Update: (following comments)
If you want to parse the HTML and get the text parts of it, I suggest you use the HTML Agility Pack.
I have a requirement that user can input HTML tags in the ASP.NET TextBox. The value of the textbox will be saved in the database and then we need to show it
on some other page what he had entered. SO to do so I set the ValidateRequest="false" on the Page directive.
Now the problem is that when user input somthing like :
<script> window.location = 'http://www.xyz.com'; </script>
Now its values saved in the database, but when I am showing its value in some other page It redirects me to "http://www.xyz.com" which is obvious
as the javascript catches it. But I need to find a solution as I need to show exactly what he had entered.
I am thinking of Server.HtmlEncode. Can you guide me to a direction for my requirement
Always always always encode the input from the user and then and only then persist in your database. You can achieve this easily by doing
Server.HtmlEncode(userinput)
Now, when it come time to display the content to the user decode the user input and put it on the screen:
Server.HtmlDecode(userinput)
You need to encode all of the input before you output it back to the user and you could consider implementing a whitelist based approach to what kind of HTML you allow a user to submit.
I suggest a whitelist approach because it's much easier to write rules to allow p,br,em,strong,a (for example) rather than to try and identify every kind of malicious input and blacklist them.
Possibly consider using something like MarkDown (as used on StackOverflow) instead of allowing plain HTML?
You need to escape some characters during generating the HTML: '<' -> <, '>' -> >, '&' -> &. This way you get displayed exactly what the user entered, otherwise the HTML parser would possibly recognize HTML tags and execute them.
Have you tried using HTMLEncode on all of your inputs? I personally use the Telerik RadEditor that escapes the characters before submitting them... that way the system doesn't barf on exceptions.
Here's an SO question along the same lines.
You should have a look at the HTML tags you do not want to support because of vulnerabilities as the one you described, such as
script
img
iframe
applet
object
embed
form, button, input
and replace the leading "<" by "& lt;".
Also replace < /body> and < /html>
HTML editors such as CKEditor allow you to require well-formed XHTML, and define tags to be excluded from input.