是否有使用@ Html.Raw风险？ [英] Is there a risk in using @Html.Raw?

问题描述

有没有使用风险 @ Html.Raw ？在我看来，不应该有。如果是有风险的话那不是风险已经存在，无论在现代浏览器，如Chrome浏览器使用 @ Html.Raw 将允许<$ C $的编辑注C>＆LT;脚本＆GT;恶意的（）＆LT; / SCRIPT＆GT; ，甚至改变一个表单的动作后到别的东西。

Is there a risk in using @Html.Raw? It seems to me there shouldn't be. If there is a risk then wouldn't that risk already exist regardless of using @Html.Raw in that modern browsers such as Chrome will allow an edit injection of <script>malicious()</script> or even to change a form's post action to something else.

推荐答案

@ Html.Raw 将允许执行任意脚本，它的价值来显示。如果你想为$，你需要为使用p $ pvent @ Html.AttributeEn code

@Html.Raw will allow executing any script that is on the value to display. If you want to prevent that you need to use @Html.AttributeEncode

这篇关于是否有使用@ Html.Raw风险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！