CODEWITHSUNDEEP
asp.net-mvcrazor
A Bogus
A Bogus

Reputation: 3920

ASP.NET MVC with Razor, custom HtmlHelper outputs just text

I am experimenting with custom HtmlHelpers, but can't get even a basic one to work correctly. My code (just for testing sake) looks like this -

My class -

namespace HtmlHelpers.Extensions
{
    public static class Helpers
    {
        public static string MySubmitButton(this HtmlHelper helper)
        {
            return String.Format("<input type=\"submit\" value=\"Submit This\">");
        }
    }
}

In my view - 

@using HtmlHelpers.Extensions;
@Html.MySubmitButton()

This I believe should generate a simple submit button, but instead, it justs writes the following text to the screen - 

<input type="submit" value="Submit">

I inspected the element, and for some reason the entire input element is being surrounded with double quotes. Anyone know why? Thanks!

Upvotes: 2

Views: 2932

Answers (1)

AaronLS
AaronLS

Reputation: 38367

I believe you should be returning a MvcHtmlString class. Try 

public static MvcHtmlString MySubmitButton(this HtmlHelper helper)
{
    return MvcHtmlString.Create("<input type=\"submit\" value=\"Submit This\">");
}

although there's probably better ways to do this using a TagBuilder if you look at examples online, or the MVC source code since it's open source, you can look at their html helpers(although they are pretty complicated due to the way they layer them).

To directly answer your question of "why" it was displaying that as if it were a string, is Razor tries to be safe and convert anything you display as text instead of HTML/script. For example, @Model.PeronName will escape any characters in the peron's name with HTML character codes. Consider if there was no protection like this, and one of your users changed their name to be <script>someDangerousJavascriptThatWouldChangeCurrentUsersPassword()</script>, then posted on your forum or anywhere their name would appear, then other users visit the page, and that javascript runs and POSTS a change password form for that current user's password to some password that the hacker chose in the script. There are a wide variety of complicated attacks like this, or users might accidentally enter angle brackets(and while fairly harmless if treated as HTML they will mess up your page display).

For that reason MVC will assume just about any string is not HTML and thus replace things like <script> with &lt;script&gt; which basically is a way of saying "this is not html/script, I want you to display the less-than symbol and greater than symbol". If you wanted to display something as HTML, there is a @Html.Raw() helper for that, and it won't clean output, and thus should never be used with a string that you concatenated together from any data that a user my supply.

Upvotes: 6

Related Questions