How do I write unencoded Json to my View using Razor?
You do:
@Html.Raw(Json.Encode(Model.PotentialAttendees))
In releases earlier than Beta 2 you did it like:
@(new HtmlString(Json.Encode(Model.PotentialAttendees)))
Newtonsoft's JsonConvert.SerializeObject
does not behave the same as Json.Encode
and doing what @david-k-egghead suggests opens you up to XSS attacks.
Drop this code into a Razor view to see that using Json.Encode
is safe, and that Newtonsoft can be made safe in the JavaScript context but is not without some extra work.
<script> var jsonEncodePotentialAttendees = @Html.Raw(Json.Encode( new[] { new { Name = "Samuel Jack</script><script>alert('jsonEncodePotentialAttendees failed XSS test')</script>" } } )); alert('jsonEncodePotentialAttendees passed XSS test: ' + jsonEncodePotentialAttendees[0].Name);</script><script> var safeNewtonsoftPotentialAttendees = JSON.parse(@Html.Raw(HttpUtility.JavaScriptStringEncode(JsonConvert.SerializeObject( new[] { new { Name = "Samuel Jack</script><script>alert('safeNewtonsoftPotentialAttendees failed XSS test')</script>" } }), addDoubleQuotes: true))); alert('safeNewtonsoftPotentialAttendees passed XSS test: ' + safeNewtonsoftPotentialAttendees[0].Name);</script><script> var unsafeNewtonsoftPotentialAttendees = @Html.Raw(JsonConvert.SerializeObject( new[] { new { Name = "Samuel Jack</script><script>alert('unsafeNewtonsoftPotentialAttendees failed XSS test')</script>" } })); alert('unsafeNewtonsoftPotentialAttendees passed XSS test: ' + unsafeNewtonsoftPotentialAttendees[0].Name);</script>
See also:
Using Newtonsoft
<script type="text/jscript"> var potentialAttendees = @(Html.Raw(Newtonsoft.Json.JsonConvert.SerializeObject(Model.PotentialAttendees)))</script>