我怎样才能显示viewbag为html? [英] How can I show a viewbag as html?
问题描述
确定,很新的ASP.Net MVC的,所以我很抱歉,如果这是一个愚蠢的问题,但我怎么去呈现出ViewBag为HTML的值。例如,如果ViewBag.SomeMessage包含以下文本:
OK, quite new to ASP.Net MVC, so I'm sorry if this is a silly question, but how do I go about showing the values of a ViewBag as HTML. For Example, if ViewBag.SomeMessage contains the following text:
<$c$c><h3>Test</h3><p>Test</p><p>Test</p><p>Test</p><p>Test</p><p>TEST</p>$c$c>
我将如何去真正具有页面呈现,作为普通的HTML?还是有实现这一点,我完全缺少的一个更简单的方法?
How would I go about actually having the page render that as normal HTML? Or is there a much easier way of achieving this that I'm totally missing?
干杯!
推荐答案
每个人都在使用正确的 @ Html.Raw()
,但我想指出来要小心,因为它可以使您的网站容易受到XSS漏洞。
Everyone is correct in the use of @Html.Raw()
but I want to point out to be careful with this, as it can make your site susceptible to XSS vulnerabilities.
我会结合 @ Html.Raw(ViewBag.SomeMessage)
与微软的反XSS库,以确保你不会从这种引入任何漏洞。
I would combine the @Html.Raw(ViewBag.SomeMessage)
with Microsoft's Anti-XSS Library to make sure you do not introduce any vulnerabilities from this.
编辑:
反XSS库的好处(如果你还没有看过它)是它已经批准加价的白名单(如&LT; B&GT;
,&LT; H3方式&gt;
等),以便只批准加价将取消恩codeD
The advantage of the Anti-XSS library (if you haven't looked at it) is it has a whitelist of approved markups (such as <b>
, <h3>
, etc..) so that only approved markups will be un-encoded.
EDIT2:
<一href=\"http://blogs.msdn.com/b/securitytools/archive/2009/09/01/html-sanitization-in-anti-xss-library.aspx\">Here's这是如何实现的一个例子。
这篇关于我怎样才能显示viewbag为html?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!