From Microsoft Docs
The Razor engine used in MVC automatically encodes all output sourced from variables So for the following razor view
@{
var untrustedInput = "<\"123\">";
}
@untrustedInput
This view should output the contents of the untrustedInput
variable. This variable includes some characters which are used in XSS attacks, namely <, " and >.
So my expectation was browser source code will show the encoded value as: <"123">
But instead I see the rendered value
Where would I actually see the encoded value in the browser?
Sorry I found it. I am looking at the wrong tab. If i open Network->my route->Response Tab. I see the encoded value
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.