admin管理员组文章数量:1430835
I've just started using AntiXSS (4.3.0), mostly to use @Encoder.JavaScriptEncode as described here.
I installed AntiXSS from Nuget, then added encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary" to <httpRuntime in my Web.config.
In my view, I have the following line (within <script> tags):
var userId = @Encoder.JavaScriptEncode(User.Identity.GetUserId());
Which I would expect to output
var userId = 'user-id';
but instead outputs:
var userId = 'user-id';
I assume this is happening because Razor is trying to sanitize the HTML, and thus encoding the singe quotes as '.
The solution then would be to just wrap it in Html.Raw(), but in the post I was following he never does that (instead wrapping the whole thing in single quotes within the Javascript).
My question is - are you supposed to need to call @Html.Raw(Encoder.JavaScriptEncode(data)), or is there something wrong with my setup?
Thanks!
I've just started using AntiXSS (4.3.0), mostly to use @Encoder.JavaScriptEncode as described here.
I installed AntiXSS from Nuget, then added encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary" to <httpRuntime in my Web.config.
In my view, I have the following line (within <script> tags):
var userId = @Encoder.JavaScriptEncode(User.Identity.GetUserId());
Which I would expect to output
var userId = 'user-id';
but instead outputs:
var userId = 'user-id';
I assume this is happening because Razor is trying to sanitize the HTML, and thus encoding the singe quotes as '.
The solution then would be to just wrap it in Html.Raw(), but in the post I was following he never does that (instead wrapping the whole thing in single quotes within the Javascript).
My question is - are you supposed to need to call @Html.Raw(Encoder.JavaScriptEncode(data)), or is there something wrong with my setup?
Thanks!
Share Improve this question asked Jul 20, 2014 at 23:57 MatthewSotMatthewSot 3,5945 gold badges43 silver badges58 bronze badges1 Answer
Reset to default 4Your assumption about razor encoding is correct. I'd also say the post you were following is also correct (I may be wrong, I haven't read the entire post though).
Instead of
var userId = @Encoder.JavaScriptEncode(User.Identity.GetUserId());
try
var userId = '@Encoder.JavaScriptEncode(User.Identity.GetUserId(), emitQuotes: false)';
//optionally surround with '' if your userId needs to be a string
or just
var userId = @Encoder.JavaScriptEncode(User.Identity.GetUserId(), emitQuotes: false);
// Visual Studio gives you a red squiggly syntax error after the semi-colon though.
// From your example, if it is a number, then no quotes are required
or go ahead with Html.Raw() like
var userId = Html.Raw(@Encoder.JavaScriptEncode(User.Identity.GetUserId());
Opionated: I prefer emitQuotes: false because that option is there, and because it eliminates the needs for another function call Html.Raw(). The default for emitQuotes is true. Are you missing the emitQuotes parameter or is that intentional?
本文标签: cAntiXSS JavaScriptEncode gets HTML encodedStack Overflow
版权声明:本文标题:c# - AntiXSS JavaScriptEncode gets HTML encoded? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745500895a2661025.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论