22

This seems so simple it's embarrassing. However, the first question is when passing a value from the new ViewBag in MVC 3.0 (Razor) into a JavaScript block, is this the correct way to do it? And more importantly, where and how do you apply the proper string replacement code to prevent a single quote from becoming &#39 as in the resultant alert below?

Adding this into a single script block:

alert('@ViewBag.str')   // "Hi, how's it going?"

Results in the following alert:

enter image description here

tereško
  • 58,060
  • 25
  • 98
  • 150
user646306
  • 503
  • 1
  • 5
  • 16

2 Answers2

40

Razor will HTML encode everything, so to prevent the ' from being encoded to ', you can use

alert('@Html.Raw(ViewBag.str)');

However, now you've got an actual ' in the middle of your string which causes a javascript error. To get around this, you can either wrap the alert string in double quotes (instead of single quotes), or escape the ' character. So, in your controller you would have

ViewBag.str = "Hi, how\\'s it going?";
ataddeini
  • 4,931
  • 26
  • 34
  • If you'd rather not have to re-escape strings, try `@Html.Raw(String.Format("var str = \"{0}"\", ViewBag.str)` followed by `alert(str);` – defines Jul 09 '13 at 19:30
  • 1
    Isn't this a huge risk for script injection? – Bon Aug 16 '14 at 21:06
0

Another solution to use JSON string:

C#

ViewBag.str = "[{\"Text\":\"Hi, how's it going?\"}]";

Javascript

var j = @Html.Raw(ViewBag.str);
alert (j[0].Text);
yW0K5o
  • 913
  • 1
  • 17
  • 32