I have tried to decode the html text that i have in the databse in my MVC 3 Razor application.
the html text in the databse is not encoded.
I tries httpUtility.decode , server.decode but none of them work.
finally i managed to make it work with Html.raw(string)
sample of non working code
#Server.HtmlDecode(item.ShortDescription)
#HttpUtility.HtmlDecode(item.ShortDescription)
Do you know why we can not use html.decode in my case !
I thought this would save some one else from looking for few hours.
It works just fine to decode the text, but then it will automatically be encoded again when it's put in the page using the # syntax.
The Html.Raw method wraps the string in an HtmlString, which tells the razor engine not to encode it when it's put in the page.
If you want to display the value as-is without any HTML encoding you could use the Html.Raw helper:
#Html.Raw(item.ShortDescription)
Be warned thought that by doing this you are opening your site to XSS attacks so you should be very careful about what HTML this ShortDescription property contains. If it is the user that enters it you should absolutely ensure that it is safe. You could use the AntiXss library for this.
Do you know why we can not use html.decode in my case !
Because Html.Decode returns a string and when you feed a string to the #() Razor function it automatically Html encodes it again and ruins your previous efforts. That's why the Html.Raw helper exists.
Related
I need to be able to access strings held in my C# code in JavaScript. To test, I have tried displaying a message box with the C# string in JavaScript (I am using this string literal and the message box as an example scenario):
alert(<%: "TEST" %>);
When this code runs, no message box is displayed. On the other hand, a message box is displayed with this code:
alert(<%: 6 %>);
Why is it that I can use integers but not strings? Is there any way around this?
Thanks.
You need to add quotes around the string; otherwise, the browser sees alert(TEST);, which is incorrect. To prevent cross-site scripting attacks, you also need to properly escape special characters. Calling HttpUtility.JavaScriptStringEncode lets you do both:
alert(<%= HttpUtility.JavaScriptStringEncode("TEST", true) %>);
Note: If this JavaScript snippet appears inside an HTML attribute like onclick, you may need to change <%= to <%: so that the double quotes are also HTML encoded.
Why is it that I can use integers but not strings?
Because you need to put strings in quotes:
alert("<%: "TEST" %>");
The key here, as always, is to look at what the browser actually receives. With your original code, what the browser sees is:
alert(TEST);
...which is trying to use the variable TEST, not a literal string.
Now in the above, I've assumed the string won't have any " in it or other things that aren't valid within a JavaScript string literal. That's not usually a good assumption to make.
If you're using a recent version of .Net or using JSON.Net (see this question for details), you can output the string using a JSON serializer, which will ensure that anything within it that may be problematic is properly encoded/escaped. For instance, with JSON.Net, you might use:
// With JSON.Net
alert(<%: JsonConvert.ToString("TEST") %>);
// With a recent version of .Net
alert(<%: HttpUtility.JavaScriptStringEncode("TEST", true) %>);
The problem is in how this translates into JavaScript:
alert(<%: "TEST" %>);
becomes
alert(TEST);
This is a problem because it assumes there is a variable named TEST that you'd like to display the value of, but most likely, TEST is undefined. What you probably want to do is this:
alert('<%: "TEST" %>');
But since this is MVC 4, you can use the Json.Encode method to be a little cleaner, like this:
alert(<%: Json.Encode("TEST") %>);
Both of thse will translate to
alert('TEST');
This should display a message box with the string 'TEST'.
Is there a way to detect if an HTML page contains any razor/C# code? Essentially I want users to be able to provide custom layouts, with tags that I will replace with RenderSection. I want to validate that prior to making this replacement, that none of the HTML contains anything like for example, <a href="#(some C# code)".
All discussions about alternative ways to do this, should/could/would aside, just simply:
Is there a way to programmatically detect if a file contains C#/Razor code?
I don't know a lot about the Razor markup -- but I am thinking that when you grab the layout string they are passing in you will want to parse the text out and grab everything that starts with an # and toss those words into an array. Then, when you republish it to you website use razor code to access the data in the array...
Alternately, and easier, would be to go through all the passed in code and replace all the # signs with a different symbol say & that way it wont get interpreted by the Razor processor:
layoutString = layoutString.Replace('#', '&');
In the browser? No, because unless the programmer made a mistake, there is no Razor/C# code in teh rendered HTML, only HTML that was the result of that.
What you ask is like asking what type of oven was used to bake a pizza from the pizza. Bad news - you never will know.
If you provie sensible tags from those, you could parse them in javascript, but you have to output that metadata yourself as part of the generated html.
After reading your comment to TomTom; the answer is:
No. Razor does not come with any public syntax parser.
I am taking string from database, which will then be HtmlEncoded. How do I do the formatting of newline and tab?
I don't think I will be able to use CSS because it is only one string (unless using CSS to replace the substring)
One way I've tried is by putting <br> and inside of the text in database and then using HttpUtility.HtmlDecode to format it, but I am not sure it is the right way.
Any suggestion and feedback is welcomed.
if you are getting a html encoded string from database then you just have to use htmldecode for decoding and it will place tabs and new line.
Prior to that check if the encoded string is html encoded or any other encoding has been used.
i am using the cluetip plugin and the simple use case is to to put the content in a title attribute, like below:
<a title='Top title|detail content'>Text</a>
i am now running into issues where the string that is inside "detail content' has an apostrophe inside of it and it seems to confuse cluetip plugin. Is there anyway to escape or encode an apostrophe to allow cluetip to work properly.
You're looking for '.
See HTML entities.
You'll want to use ' per this link since ' has flaky browser support. See this old post for more info.
have you tried HTML escaping the apostrophe?
Hey,
so we have a backend written in C# and we have text in that backend in a language which has "special characters".
Problem is when I output my saved text (from C# app) to the web page (ASP.NET), the characters are all messed up even though the browser interprest the page as UTF (since I have placed a meta tag telling the browser that it is UTF8).
But since its all messed up, Im sort of questioning what the output from C# is. Its probably not UTF8, but something else. Somewhere I read that text in .NET is usually UTF-16?
Basically, I am assigning a label (that can do HTML) with a value taken from the backend. That needs to be in UTF8.
How do I do that in the best way?
.NET strings are natively encoded as UTF-16. The following will set the HTTP output to UTF-8:
Response.ContentEncoding = System.Text.Encoding.UTF8;
When outputting special characters in HTML, you should escape them anyways using Unicode escape sequences (for example é makes é).
Better resources:
http://msdn.microsoft.com/en-us/library/39d1w2xf.aspx
Response.ContentEncoding = Encoding.GetEncoding(xxx);