Avoid Using Html.Raw

Html.Raw is a security risk in ASP.NET pages. Fortunately, there are alternatives.

Html.Raw is a method in ASP.NET Razor Pages that allows developers to render unencoded HTML content in the page. However, it can also be a security risk if the content being rendered is not properly sanitized, as it can allow malicious content to be injected into the page.

Using Html.Raw results in a Reflected XSS All Clients security risk.

Avoid using Html.Raw in ASP.NET Razor Pages by encoding the content before rendering it on the page. This can be achieved by using the "@" symbol to specify that the content should be encoded.


Model.Content is rendered within the p tag, and the "@" symbol ensures that the content is properly encoded before it is displayed on the page.

Alternatively, you can use HtmlEncode to encode the content before rendering it.


This approach explicitly encodes the content using the HtmlEncode method, ensuring that any potentially malicious content is properly sanitized before it is displayed on the page.

Overall, it is important to ensure that any content being rendered in your ASP.NET Razor Pages is properly sanitized to prevent security vulnerabilities. Avoiding the use of @Html.Raw is one way to achieve this.