Where is the equivalent of HttpUtility.JavaScriptStringEncode in .Net Core 1.1?

I have found myself in need of scrubbing javascript out of comments being added by users in a .Net Core MVC application. In previous frameworks, this could be achieved by first passing your string into JavaScriptStringEncode.

var comment = HttpUtility.JavaScriptStringEncode(model.Comment);

However, I haven’t been able to find the equivalent in .net core.

Here is an equivalent of HttpUtility.JavaScriptStringEncode in .net core:

using System.Text.Encodings.Web; //part of System.Text.Encodings.Web nuget package

var encodedText = JavaScriptEncoder.Default.Encode("TextToEncode");

There is a helper available as @Json.Serialize in the views. That uses JSON.Net, taking into account any formatting options configured in Startup.cs:

var foo = @Json.Serialize(model);

Bear in mind this does not XSS-sanitizes the json by default! However you can use an overload that lets you do that, specifying the StringEscapeHandling option of JSON.Net as EscapeHtml:

@using Newtonsoft.Json


var foo = @Json.Serialize(model, new JsonSerializerSettings { StringEscapeHandling = StringEscapeHandling.EscapeHtml });

You can maybe wrap that into your own helper like @Json.SafeSerialize or @SafeJson.Serialize.

I haven’t found a better way than your own helpers without forcing the default JsonOutputFormatter to behave this way through the json options in Startup:

services.AddMvc().AddJsonOptions(opts => opts.SerializerSettings.StringEscapeHandling = StringEscapeHandling.EscapeHtml)

The problem with the latter approach (and why you might prefer the custom helper) is that it would also affect the JSONs returned from your APIs.

PS. I have raised this on github.

You can use the same method, use it like this example on razor:



As @Dai said, this will only work if you’re targeting .NET Framework, which is descouraged with ASP.NET Core.

Read More:   What is the danger in including the same JavaScript library twice?

The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 .

Similar Posts