45

I take user input into a text area, store it and eventually display it back to the user.

In my View (Razor) I want to do something like this...

@Message.Replace("\n", "</br>")

This doesn't work because Razor Html Encodes by default. This is great but I want my line breaks.

If I do this I get opened up to XSS problems. 

@Html.Raw(Message.Replace("\n", "</br>"))

What's the right way to handle this situation?

BZink
  • 7,687
  • 10
  • 37
  • 55

5 Answers5

58

Use HttpUtility.HtmlEncode then do the replace.

@Html.Raw(HttpUtility.HtmlEncode(Message).Replace("\n", "<br/>"))
Dominic Zukiewicz
  • 8,258
  • 8
  • 43
  • 61
Richard Schneider
  • 34,944
  • 9
  • 57
  • 73
  • Awesome! been looking for this. – Grenville Dec 30 '15 at 16:45
  • 3
    For asp.net core I had to look for the escaped chars when doing the replace so below looks for both carriage return and line feed together `@Html.Raw(Html.Encode(output).Replace(" ", "
    "))`     – Jeff Jul 18 '17 at 06:51
  • This didnt work for me. I used this: @Html.Raw("Customer Name\nAddress".Replace("\n", "
    "))     – Yawahang Rai Dec 10 '21 at 08:43
13

If you find yourself using this more than once it may be helpful to wrap it in a custom HtmlHelper like this:

namespace Helpers
{
    public static class ExtensionMethods
    {
        public static IHtmlString PreserveNewLines(this HtmlHelper htmlHelper, string message)
        {
            return message == null ? null : htmlHelper.Raw(htmlHelper.Encode(message).Replace("\n", "<br/>"));
        }
    }
}

You'll then be able to use your custom HtmlHelper like this:

@Html.PreserveNewLines(Message)

Keep in mind that you'll need to add a using to your Helpers namespace for the HtmlHelper to be available.

Tony Borres
  • 1,546
  • 11
  • 11
  • 1
    Thanks for this, I love HtmlHelpers and extension methods; makes for some fairly clean usage. Regarding namespaces, I tend to put my helpers in the System.Web.Mvc namespace. This saves me the trouble of constantly adding using statements by making it 'always available' throughout my app, and makes it easier to copy my helper code from project to project since I don't have to change the namespace. – Ben Brandt Jun 11 '13 at 14:30
9

You can encode your message, then display it raw. Something like:

@Html.Raw(Server.HtmlEncode(Message).Replace("\n", "<br/>"))
Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
2

For those who use AntiXssEncoder.HtmlEncode

As AntiXssEncoder.HtmlEncode encode the /r/n character to &#13;&#10; so the statement should be 

_mDraftMsgModel.wnItem.Description = AntiXssEncoder.HtmlEncode(draftModel.txtMsgContent, false).Replace("&#13;&#10;", "<br/>");
CodeSi
  • 401
  • 4
  • 6
0

In my case, my string contained html that I wanted to encode but I also wanted the HTML line breaks to remain in place. The code below turns the HTML line breaks in to \n then encodes everything. It then turns all instances of \n back in to HTML line breaks:

@Html.Raw(HttpUtility.HtmlEncode(message.Replace("<br/>", "\n").Replace("<br />", "\n")).Replace("\n", "<br/>"))
Dave Lucre
  • 1,105
  • 1
  • 14
  • 16