1

I hear that using HTML.Raw in Razor views is not recommended, and if so I have a problem.

I am using Entity Framework for interacting with my SQL DB. Also I am using SummerNote as an editor for the front end.

Now my view code is in @{ } block, which I believe does some encoding/decoding.

The scenario is that the user inputs some text in the SummerNote editor and applies some formatting (e.g making a word bold) and clicks saves. This will generate an HTML string and passes it to my controller:

<p>Test <b>string </b>with formatting.</p>

In the controller, I use HTML encode to encode:

customerData.Description = HttpUtility.HtmlEncode(summerNoteFieldData);

And then send it to DB. It looks like the following in DB:

&lt;p&gt;Test &lt;b&gt;string &lt;/b&gt;with formatting.&lt;/p&gt;

Then in the view when presenting it, I do:

<div class="summernote">@Html.Raw(@HttpUtility.HtmlDecode(@Model))</div>

So if I remove the Html.Raw, then I will see the above HTML string rather than formatted one.

Is this the safe and right way to go about this? Can it be improved?

Thank you for any help.

  • There is no real point in using `HtmlEncode` and `HtmlDecode` in that case –  Jul 03 '18 at 23:40
  • @StephenMuecke, thanks for the reply. I think so too and I removed them. Now if I just print using `@Model`, then it will print the HTML. In order to print the formatted string I have to wrap it in `@Html.Raw`. I don't know how to overcome this problem? –  Jul 04 '18 at 00:40
  • But what is your problem? Using `@Html.Raw()` is correct for this. –  Jul 04 '18 at 00:49
  • Oh is it? that is what I am trying to figure out. So using Html.Raw is not going to pose any security threats? –  Jul 04 '18 at 00:51
  • Well it will if the user has entered malicious tags (e.g. ` –  Jul 04 '18 at 00:53
  • 2
    Refer [Store and display HTML string while avoiding JS, in ASP.Net Core 2](https://stackoverflow.com/questions/50503360/store-and-display-html-string-while-avoiding-js-in-asp-net-core-2/50508766#50508766) for an example –  Jul 04 '18 at 00:54
  • Thanks @StephenMuecke. I think that is the answer. I think I should be concerned about the –  Jul 04 '18 at 01:21

1 Answers1

3

You should HTML encode as you print in your view (using @Model).

Do not encode or decode anywhere else; do not store encoded content in your database.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • thank you for your reply. After removing the Html.Encode in the controller, the string in DB looks like: `

    Test string with formatting.

    ` And I modified the view to just do encode: `
    @HttpUtility.HtmlEncode(@Model)
    ` But then when I refresh the page, I see the following which is not the formatted string: `<p>Test <b>string </b>with formatting.</p>`     –  Jul 04 '18 at 00:07
  • `@...` automatically encodes. You should not call any encoding method. – SLaks Jul 04 '18 at 00:33
  • So to clarify what should appear in DB? Should I see `

    Test string with formatting.

    ` ?     –  Jul 04 '18 at 00:44
  • 1
    Yes @b3hdad - that is what you should store. – mjwills Jul 04 '18 at 00:52
  • Thanks, so that direction I am doing the right thing. Now when presenting if I don't do @Html.Raw, then I see the HTML instead of a formatted string. My concern only now is, if Html.Raw poses security threat? –  Jul 04 '18 at 00:54
  • @b3hdad Not if you filter out all unacceptable tags before you store it. – ProgrammingLlama Jul 04 '18 at 01:02
  • I see, I am assuming its only really –  Jul 04 '18 at 01:19
  • @b3hdad: No; any tag can have dangerous attributes. You need a whitelist-based filter. For example, https://github.com/mganss/HtmlSanitizer – SLaks Jul 04 '18 at 16:10
  • @SLaks thank you so much. I just started using the sanitizer and will run some tests. Also looks like the SummerNote(which is the editor I am trying to secure) has two modes. Code view and Text View. I have disabled the code view and the text view, seems to at least encode the script tags which is good. Cheers. –  Jul 05 '18 at 12:09