Writing/outputting HTML strings unescaped

Question

I've got safe/sanitized HTML saved in a DB table.

How can I have this HTML content written out in a Razor view?

It always escapes characters like < and ampersands to &.

To save people the long history of discussion below - `@Html.Raw()` — Chris S, Jun 06 '13 at 23:19
To save people like me trying to do this with with anonymous types in dynamically typed views, where this won't work - see [this answer](http://stackoverflow.com/a/31306368/957950) to my more-specific question. Although using this approach with a strongly-typed view is still better if your situation allows. — brichins, Jul 09 '15 at 01:00

score 687 · Answer 1 · edited Apr 27 '15 at 04:04

687

Supposing your content is inside a string named mystring...

You can use:

@Html.Raw(mystring)

Alternatively you can convert your string to HtmlString or any other type that implements IHtmlString in model or directly inline and use regular @:

@{ var myHtmlString = new HtmlString(mystring);}
@myHtmlString

edited Apr 27 '15 at 04:04

Alexei Levenkov

98,904
14
127
179

answered Nov 26 '10 at 02:04

Lorenzo

29,081
49
125
222

Thanks for this answer. Helped me finish a little task I was learning. :) However I'm using the latest version of MVC3 and so far no Html.Raw :( – Dec 14 '10 at 13:19
1

Hi Sergio. I'm using MVC 3 and i'm using the Raw method properly. – Gui Jan 29 '11 at 02:10
1

Thank you for the answer! I'm still learning MVC 3 and this was eluding me. – Todd Richardson Apr 20 '11 at 04:25
3

@Lorenzo, +1 I'm using the latest MVC 3 with `razor` syntax and `Html.Raw` is definitely available to me. – Chris Snowden Aug 10 '11 at 12:44
Is there anything like `@Html.RawFor(m => m.HtmlField)`? – Shimmy Weitzhandler Dec 04 '12 at 01:09
1

Lorenzo, I've updated answer to remove mentioning of MVC Beta as it was some years ago. Feel free to revert/change. – Alexei Levenkov Apr 27 '15 at 04:06
Say I was to define a global variable in razor, and then use @html.Raw( on this variable because I want to define some markup in it and render on view. Is there a way someone can set a value to a Razor variable from the url? I just want to make sure this isn't vulnerable to XSS through URL injection.. Thanks! – eaglei22 Dec 14 '15 at 19:33
`@{ var myHtmlString = new HtmlString(mystring);} @myHtmlString` Worked – ramya Dec 04 '19 at 16:54
Please note for Core Razor pages, `HtmlString` requires `@using Microsoft.AspNetCore.Html` – EvilDr Oct 31 '22 at 19:26

score 76 · Answer 2 · answered May 12 '14 at 08:51

76

You can use

@{ WriteLiteral("html string"); }

answered May 12 '14 at 08:51

Andrus

26,339
60
204
378

5

This was awesome for me, was using Razor within a Hangfire app to send emails... `Html.Raw()` doesn't work there – shanabus Jan 29 '15 at 03:18
1 for WriteLiteral – Muhammed Basil Nov 17 '17 at 09:43

score 76 · Answer 3 · answered Feb 22 '11 at 22:50

76

In ASP.NET MVC 3 You should do something like this:

// Say you have a bit of HTML like this in your controller:
ViewBag.Stuff = "<li>Menu</li>"
//  Then you can do this in your view:
@MvcHtmlString.Create(ViewBag.Stuff)

answered Feb 22 '11 at 22:50

Tom Chantler

14,753
4
48
53

15

I prefer this method because HTML.Raw blows up if the passed string is null. – 37Stars Sep 13 '11 at 17:32
1

Thanks, this is very clean! – Hajjat Oct 12 '15 at 16:30

score 11 · Answer 4 · answered Oct 13 '14 at 20:31

Sometimes it can be tricky to use raw html. Mostly because of XSS vulnerability. If that is a concern, but you still want to use raw html, you can encode the scary parts.

@Html.Raw("(<b>" + Html.Encode("<script>console.log('insert')</script>" + "Hello") + "</b>)")

Results in

(<b>&lt;script&gt;console.log('insert')&lt;/script&gt;Hello</b>)

score 5 · Answer 5 · answered May 12 '14 at 13:12

5

You can put your string into viewdata in controller like this :

 ViewData["string"] = DBstring;

And then call that viewdata in view like this :

@Html.Raw(ViewData["string"].ToString())

answered May 12 '14 at 13:12

Ajay

317
2
12
25

score 2 · Answer 6 · edited Aug 16 '13 at 07:57

2

Apart from using @MvcHtmlString.Create(ViewBag.Stuff) as suggested by Dommer, I suggest you to also use AntiXSS library as suggested phill http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx

It encodes almost all the possible XSS attack string.

edited Aug 16 '13 at 07:57

Imad Alazani

6,688
7
36
58

answered Mar 29 '12 at 12:28

ZeNo

1,648
2
15
28

score 0 · Answer 7 · answered Feb 11 '20 at 13:28

Complete example for using template functions in RazorEngine (for email generation, for example):

@model SomeModel
@{
    Func<PropertyChangeInfo, object> PropInfo =
        @<tr class="property">
            <td>
                @item.PropertyName                
            </td>
            <td class="value">
                <small class="old">@item.OldValue</small>
                <small class="new">@item.CurrentValue</small>                
            </td>
        </tr>;
}

<body>

@{ WriteLiteral(PropInfo(new PropertyChangeInfo("p1", @Model.Id, 2)).ToString()); }

</body>

Writing/outputting HTML strings unescaped

7 Answers7

Linked

Related