Reputation: 1755
JSON convert JsonResult to javascript string without encoding quotations
I need to convert a Microsoft.AspNet.Mvc.Controller.JsonResult to a string using ASP.NET Core
Here is my code in ASP.NET MVC
public async Task<string> GetJsonData()
{
//...
var result = GetMyComplexObject();
//using Newtonsoft.Json.JsonConvert method
var jsonString = JsonConvert.SerializeObject(Json(result));
return jsonString;
}
public async Task<IActionResult> Index()
{
var myViewModel= new MyViewModel();
myViewModel.JsonString = GetJsonData();
return View(myViewModel);
}
public class MyViewModel
{
//...
public string JsonString { get; set; }
}
and in my cshtml
var dataSet = {@(Model.JsonString))};
However in the generated source instead of the fields being in quotations, they are html encoded e.g. "field1"
Instead of running string replaces is there not a neater way to convert a JsonResult to string
Upvotes: 7
Views: 14220
Answers (3)
Reputation: 34992
In ASP.Net 5 there is a JsonHelper directly available in the razor views via @Json.Serialize, so you can write something like this in your razor view:
var foo = @Json.Serialize(model);
This is very similar to manually doing:
var foo = @Html.Raw(JsonConvert.SerializeObject(model))
The problem in both cases is that JSON.Net by default serializes but does not XSS-sanitizes the output. This means the contents of model are not escaped, leaving your code open for XSS attacks if model depends on user input. For example:
@{
var model = new
{
prop1 = 1,
prop2 = "</script><script>alert('o hai');</script>",
prop3 = false
};
}
var foo = @Json.Serialize(model);
You could use the Json.Serialize overload that lets you specify JsonSerializerSettings, so you can set StringEscapeHandling as EscapeHtml:
HTML (<, >, &, ', ") and control characters (e.g. newline) are escaped.
var foo = @Json.Serialize(model, new JsonSerializerSettings { StringEscapeHandling = StringEscapeHandling.EscapeHtml });
PS. I have raised an issue on github to include default html escaping in the JsonHelper.
Approaches used in previous versions
If you search about this same question on stack overflow, you will see there used to be a Json.Encode helper in earlier versions of MVC, so you could serialize like this, manually performing the json serialization. This seems replaced by Json.Serialize which is not safe by default.
There also used to be a helper HttpUtility.JavaScriptStringEncode that could be used to manually encode json literals. This seems to be there in ASP.Net 5 as IJavaScriptStringEncoder. The only problem is that when combined with Newtonsoft.Json (The default json formatter in ASP.Net 5), it will encode too much for a valid json literal (like the double quotes in property names). However it will produce a valid string that can be parsed on the browser with JSON.parse (So probably this approach should work too):
@inject Microsoft.Extensions.WebEncoders.IJavaScriptStringEncoder encoder;
...
var foo = JSON.parse("@encoder.JavaScriptStringEncode(JsonConvert.SerializeObject(model))");
Be also aware that by looking at the newest source code, the IJavaScriptStringEncoder will be replaced by System.Text.Encodings.Web.JavaScriptEncoder in RC2.
Upvotes: 13
Reputation: 641
String - JavaScriptSerializer: (Can't use in ASP.NET Core)
var json = new JavaScriptSerializer().Serialize(jsonResult.Data);
Object - Newtonsoft.Json:
var json = JsonConvert.SerializeObject(jsonResult.Data, Formatting.Indented, new KeysJsonConverter(typeof(OBJECT)));
KeysJsonConverter
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using System;
using System.Collections.Generic;
using System.Linq;
namespace TestApp.Helpers
{
// Creates a custom JsonConverter that overrides serialization to add a keys property.
public class KeysJsonConverter : JsonConverter
{
private readonly Type[] _types;
public KeysJsonConverter(params Type[] types)
{
_types = types;
}
public override void WriteJson(JsonWriter writer, object value, JsonSerializer serializer)
{
JToken t = JToken.FromObject(value);
if (t.Type != JTokenType.Object)
{
t.WriteTo(writer);
}
else
{
JObject o = (JObject)t;
IList<string> propertyNames = o.Properties().Select(p => p.Name).ToList();
o.AddFirst(new JProperty("Keys", new JArray(propertyNames)));
o.WriteTo(writer);
}
}
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
{
throw new NotImplementedException("Unnecessary because CanRead is false. The type will skip the converter.");
}
public override bool CanRead
{
get { return false; }
}
public override bool CanConvert(Type objectType)
{
return _types.Any(t => t == objectType);
}
}
}
.cshtml
var model = @Html.Raw(Json.Encode(Model));
Not sure where i got KeysJsonConverter from but i have used it in a few projects i have built and it works very well, credit to whoever wrote it originally.
Upvotes: 2
Reputation: 7512
You could use Newtonsoft
"Newtonsoft.Json": "6.0.8",
and then on your JsonResult Object in your Controller
using Newtonsoft.Json;
and
var jsonResult = Json(myObject);
string jsonString= JsonConvert.SerializeObject(jsonResult.Value);
Upvotes: 3
Related Questions
- How do I turn a C# object into a JSON string in .NET?
- How can I convert String to Int?
- How can I deserialize JSON to a simple Dictionary<string,string> in ASP.NET?
- How to convert UTF-8 byte[] to string
- How do you convert a byte array to a hexadecimal string, and vice versa?
- JavaScriptSerializer - JSON serialization of enum as string
- Convert a string to an enum in C#
- How do I get a consistent byte representation of strings in C# without manually specifying an encoding?