如何使用Razor将未编码的Json写入视图?

你需要:

@Html.Raw(Json.Encode(Model.PotentialAttendees))

在Beta 2之前的版本中,您的做法如下:

@(new HtmlString(Json.Encode(Model.PotentialAttendees)))

JsonConvert.SerializeObject 行为与 Json.Encode 做“大卫·k·艾格海德”建议的事,会让你敞开心扉 XSS攻击 .

Json.编码 是安全的,而且Newtonsoft可以在JavaScript上下文中设置为安全的,但也需要一些额外的工作。

<script>
    var jsonEncodePotentialAttendees = @Html.Raw(Json.Encode(
        new[] { new { Name = "Samuel Jack</script><script>alert('jsonEncodePotentialAttendees failed XSS test')</script>" } }
    ));
    alert('jsonEncodePotentialAttendees passed XSS test: ' + jsonEncodePotentialAttendees[0].Name);
</script>
<script>
    var safeNewtonsoftPotentialAttendees = JSON.parse(@Html.Raw(HttpUtility.JavaScriptStringEncode(JsonConvert.SerializeObject(
        new[] { new { Name = "Samuel Jack</script><script>alert('safeNewtonsoftPotentialAttendees failed XSS test')</script>" } }), addDoubleQuotes: true)));
    alert('safeNewtonsoftPotentialAttendees passed XSS test: ' + safeNewtonsoftPotentialAttendees[0].Name);
</script>
<script>
    var unsafeNewtonsoftPotentialAttendees = @Html.Raw(JsonConvert.SerializeObject(
        new[] { new { Name = "Samuel Jack</script><script>alert('unsafeNewtonsoftPotentialAttendees failed XSS test')</script>" } }));
    alert('unsafeNewtonsoftPotentialAttendees passed XSS test: ' + unsafeNewtonsoftPotentialAttendees[0].Name);
</script>

另见:

• Does the output of JsonConvert.SerializeObject need to be encoded in Razor view?
• XSS Prevention Rules

<script type="text/jscript">
  var potentialAttendees  = @(Html.Raw(Newtonsoft.Json.JsonConvert.SerializeObject(Model.PotentialAttendees)))
</script>