Is there a risk in using @Html.Raw?

Question

Is there a risk in using @Html.Raw? It seems to me there shouldn't be. If there is a risk then wouldn't that risk already exist regardless of using @Html.Raw in that modern browsers such as Chrome will allow an edit injection of <script>malicious()</script> or even to change a form's post action to something else.

score 6 · Accepted Answer · answered Jun 21 '12 at 19:01

6

@Html.Raw will allow executing any script that is on the value to display. If you want to prevent that you need to use @Html.AttributeEncode

answered Jun 21 '12 at 19:01

pollirrata

5,188
2
32
50

score 4 · Answer 2 · answered Jun 21 '12 at 19:00

4

Correct, the risk is in how it is used. There's no risk inherent in Html.Raw. It's a tool, nothing more.

answered Jun 21 '12 at 19:00

neontapir

4,698
3
37
52

15

And the same can be said about mustard. Or mustard gas. – Jun 21 '12 at 19:02

score 4 · Answer 3 · 2012-06-21T23:13:55.007

4

If you are displaying user entered information it is better to use @Html.Encode().

In another words, if you are displaying non-user eneterd data you are safe to go with @Html.Raw()

edited Jun 21 '12 at 23:13

answered Jun 21 '12 at 23:01

2

This is a good point, and I completely agree :) But my usage is intended to output an input box from an html helper so I think I will be safe. – Travis J Jun 21 '12 at 23:03

Is there a risk in using @Html.Raw?

3 Answers3

Linked