0

I am using mvc, c# and sql. And I try to bring html code from my database ( for example , code for tables), and to show it in my view. This is my viewmodel:

viewmodel:

public string Color { get; set; }
public string body { get; set; }
public string style { get; set; }

it is my code from my controller

 entity db = new myentity();
var html = new htmlviewmodel();
html.body=db.getbody(); //gets html code for my view, for example, a table
html.style=db.getstyle(); //gets a css style for instance, mystyle

and it would be my view

this is your table:
@model.body 
<div style=@model.style> bla bla </div>

Can anyone help me to know how to store html in my database? and how to use the html in my view?

Paulie_D
  • 107,962
  • 13
  • 142
  • 161
Ebaneo Vk
  • 43
  • 6
  • 3
    What's the problem? You're looking for `Html.Raw()`. And you almost definitely have XSS holes. – SLaks Jun 22 '16 at 15:53
  • @SLaks curious why almost definitely XSS simply because HTML is being pulled from a database? Ebaneo store the html as VARCHAR(MAX) or NVARCHAR(MAX) depending on if you will have unicode characters. http://stackoverflow.com/questions/5772897/storing-html-in-sql-server – Matt Jun 22 '16 at 15:59
  • Do you have to store it in the database? If not, you are aware this is going to cause you a whole host of problems if you need to tweak the HTML slightly. – Jay Jun 22 '16 at 16:02
  • @Matt: No; because the HTML is probably not trusted. – SLaks Jun 22 '16 at 16:19
  • @SLaks probably not trusted because it is being stored in a database and the source is currently unknown. so outside world/user form very vunerable to XSS but inside version control or something should not be as susceptible.....My guess you probably have a point just seemed like a pretty big assumption from the little bit of detail in his question so I was curious if I was missing something. – Matt Jun 22 '16 at 16:25
  • This is handled server side, so it won't cause a XSS issue as the client will not know where the raw HTML came from, be it a view, database or other. – Jay Jun 22 '16 at 16:26
  • @Jay1b I had the same thought but what is the source of the HTML? If a user form or WYSIWYG then you never know. – Matt Jun 22 '16 at 16:27
  • @Jay1b: That doesn't matter; XSS is just about HTML under an attacker's control. – SLaks Jun 22 '16 at 16:28
  • thanks for taking your time, this html is generated by me, and is stored in a varchar(max) datatype. @slaks what kind of holes? I do not know about xss – Ebaneo Vk Jun 22 '16 at 16:47
  • https://en.wikipedia.org/wiki/Cross-site_scripting – SLaks Jun 22 '16 at 17:30
  • thanks! well..once I use nvarchar (max) how am I supossed to proceed? I mean, in my view what should I use?@Html.Raw?can anyone give me an example? thanks – Ebaneo Vk Jun 23 '16 at 17:33

1 Answers1

-1

Are you getting the to display? Can you see the in the served page (inspect the HTML)?

EDITED: Storing HTML in SQL Server for information on how to store HTML in SQL Servers

Community
  • 1
  • 1
Alex
  • 422
  • 4
  • 12
  • sorry, perhaps I did not explain well, I wanted to know in what format should I store html, and how to call it and display in my view – Ebaneo Vk Jun 22 '16 at 17:33
  • Okay well then Matt answered your question then. if you go to that link, it tells you to use VARCHAR(MAX) or NVARCHAR(MAX). – Alex Jun 22 '16 at 19:33