问题
I take user input into a text area, store it and eventually display it back to the user.
In my View (Razor) I want to do something like this...
@Message.Replace("\n", "</br>")
This doesn't work because Razor Html Encodes by default. This is great but I want my line breaks.
If I do this I get opened up to XSS problems.
@Html.Raw(Message.Replace("\n", "</br>"))
What's the right way to handle this situation?
回答1:
Use HttpUtility.HtmlEncode then do the replace.
@Html.Raw(HttpUtility.HtmlEncode(Message).Replace("\n", "<br/>"))
回答2:
If you find yourself using this more than once it may be helpful to wrap it in a custom HtmlHelper like this:
namespace Helpers
{
public static class ExtensionMethods
{
public static IHtmlString PreserveNewLines(this HtmlHelper htmlHelper, string message)
{
return message == null ? null : htmlHelper.Raw(htmlHelper.Encode(message).Replace("\n", "<br/>"));
}
}
}
You'll then be able to use your custom HtmlHelper like this:
@Html.PreserveNewLines(Message)
Keep in mind that you'll need to add a using to your Helpers namespace for the HtmlHelper to be available.
回答3:
You can encode your message, then display it raw. Something like:
@Html.Raw(Server.HtmlEncode(Message).Replace("\n", "<br/>"))
回答4:
For those who use AntiXssEncoder.HtmlEncode
As AntiXssEncoder.HtmlEncode encode the /r/n character to so the statement should be
_mDraftMsgModel.wnItem.Description = AntiXssEncoder.HtmlEncode(draftModel.txtMsgContent, false).Replace(" ", "<br/>");
回答5:
In my case, my string contained html that I wanted to encode but I also wanted the HTML line breaks to remain in place. The code below turns the HTML line breaks in to \n then encodes everything. It then turns all instances of \n back in to HTML line breaks:
@Html.Raw(HttpUtility.HtmlEncode(message.Replace("<br/>", "\n").Replace("<br />", "\n")).Replace("\n", "<br/>"))
来源:https://stackoverflow.com/questions/5560585/html-encode-but-preserve-line-breaks