1

In ASP.Net/Core MVC, the auto-HTML escaping happens when you echo a string variable inside a Razor view. For example:

<div>@("<b>Hello</b>")</div>

is output as

<div>&lt;b&gt;Hello&lt;/b&gt;</div>

How can I disable this feature by default in ASP.Net/Core MVC, without having to use a helper everywhere like Html.Raw(), WriteLiteral(), new HtmlString(), et cetera?

I understand the reasoning behind this functionality but I am experimenting with alternate escape methods.

Improve this question
5
  • 1
    There's a reason it exists, you can't turn it off. Commented Apr 16, 2019 at 23:12
  • If you don't want what Razor does, you might want to not use Razor. Commented Apr 16, 2019 at 23:17
  • I think you can do it by replacing the service System.Text.Encodings.Web.HtmlEncoder in the services collection by a fake one. It is injected here. But it can have some side effects as it can be used elsewhere in aspnet framwork Commented Apr 16, 2019 at 23:40
  • what is wrong with helper methods? Commented Apr 18, 2019 at 6:15
  • @ibubi because if you enable HTML escaping for all data coming from your database, it negates the need for Razor to escape it everywhere. Now you have to remember to use the helper method at every single place you echo a variable, or else Razor will double-escape it. Commented Apr 18, 2019 at 15:18

1 Answer 1

Reset to default
1

You can not disable it.

ASP.Net/Core MVC design for preventing Injection (Web Application Security), the @ use frequently so it need prevent HTML or Javascript injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.