admin管理员组

文章数量:1394073

How do I properly encode JavaScript in the following context:

<html>
...
<script type="text/javascript">
var settings = @Html.PleaseEncode(settings.ToJson());
// ...
</script>
</html>

The values in my JSON objects are set by the application administrator, so I assume they need properly encoded -- both for HTML and JavaScript.

I'm using System.Web.Script.Serialization.JavaScriptSerializer to do the JSON encoding. It looks like JavaScriptSerializer does some encoding as it outputs the text <None> as \u003cNone\u003c, but I'm not sure how safe it is. Right now, I'm using @Html.Raw as it works given safe input. It generates the following:

var settings = {"UnselectedReason":"None Selected", /*...*/};

If I use @Html.Encode I then get:

var settings = {&amp;quot;UnselectedReason&amp;quot;:&amp;quot;None Selected&amp;quot;, /*...*/};

I've tried with and without AntiXSS but I see no difference either way.

How do I properly encode JavaScript in the following context:

<html>
...
<script type="text/javascript">
var settings = @Html.PleaseEncode(settings.ToJson());
// ...
</script>
</html>

The values in my JSON objects are set by the application administrator, so I assume they need properly encoded -- both for HTML and JavaScript.

I'm using System.Web.Script.Serialization.JavaScriptSerializer to do the JSON encoding. It looks like JavaScriptSerializer does some encoding as it outputs the text <None> as \u003cNone\u003c, but I'm not sure how safe it is. Right now, I'm using @Html.Raw as it works given safe input. It generates the following:

var settings = {"UnselectedReason":"None Selected", /*...*/};

If I use @Html.Encode I then get:

var settings = {&amp;quot;UnselectedReason&amp;quot;:&amp;quot;None Selected&amp;quot;, /*...*/};

I've tried with and without AntiXSS but I see no difference either way.

  • javascript
  • json
  • asp-mvc-3
  • html-encode
  • antixsslibrary
Share Improve this question edited Nov 28, 2011 at 21:09 Charles 51.5k13 gold badges106 silver badges144 bronze badges asked Nov 28, 2011 at 18:38 Kaleb PedersonKaleb Pederson 46.5k21 gold badges103 silver badges148 bronze badges
Add a ment  | 

5 Answers 5

Reset to default 2

AntiXSS has JavaScriptEncode, but it's designed for individual items, rather than taking a whole set of, err, settings.

So if you passed in {"UnselectedReason":"None Selected", /.../} it'd eat the quotes and other things, which is probably not what you want. Instead what I'd do is in your ToJson I'd build the settings up with a string builder, something like

StringBuilder sb = new StringBuilder();
sb.Append("{");
foreach(KeyValuePair kv in mySettings)
{
    sb.Append("\"");
    sb.Append(Microsoft.Security.Application.Encoder.JavaScriptEncode(kv.Key, true);
    sb.Append(":");
    sb.Append(Microsoft.Security.Application.Encoder.JavaScriptEncode(kv.Value, true);
    sb.Append("\",");
}

string outputString = sb.ToString().TrimEnd(",") + "}";

return new HtmlString(outputString);

Note: Code is off the top of my head and hasn't been even typed into VS. It illustrates the principal and may well not pile!

If you are wanting to use the JS, why are you trying to encode it? If you have json, it should already be encoded. Since its JS, you shouldn't require html encoding on it either.

I don't believe you need to encode here, unless you can provide a case why and I'm just missing something?

With any valid javascript you could run the risk of injection, but since you know this is ing from some valid source (ie model) that is getting encoded the path is relatively safe to get the JSON.

It should be safe for direct output...

<script>//<![CDATA[<!--

var settings = @Html.Raw(settings.ToJson());

//-->]]></script

Though if you are really concerned... this assumes a modern browser or json2.js is included.

<script>

var settings = JSON.parse("@Html.Raw(Server.UrlEncode(settings.ToJson()))");

</script

It will be safe. It won't destroy your markup.

If you are sure about what you want to do:

@Html.Raw(yourStringWithTheJSONcode)

本文标签: jsonHow to encode embedded javascript in Razor view in ASPNET MVC 3Stack Overflow

版权声明:本文标题:json - How to encode embedded javascript in Razor view in ASP.NET MVC 3? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744640141a2617071.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。