Disable encoding of unicode characters in ASP.NET-MVC3

Question

On my site every text is served as UTF-8.

Since nowadays every browser supports unicode characters, I would like to use them as-is.

The asp.net framework is very helpful by replacing any unicode with a Numeric Character Reference, like á. For reference check: http://en.wikipedia.org/wiki/Unicode_and_HTML#HTML_document_characters

Sure, this way the webpage renders correctly in the oldest netscape possible, but for example the google analytics ecommerce module has some trouble understanding these specially coded characters.

Is there a way to globally disable the Numeric Character Reference encoding?

For example I want to write in razor:

<span class="title">@ViewBag.Title</span>

I would want this to show on the output:

<span class="title">Számítástechnika</span>

Not this:

<span class="title">Sz&#225;m&#237;t&#225;stechnika</span>

I'm not trying to disable the html encoding, so Html.Raw is not a solution, as for example I'm not able to ensure that the @ViewBag.Title will not content something like this:

<span class="title"><script>alert('injected hahahah');</script></span>

So I'm content with the automatic encoding of special html characters. That is not what I want to disable.

I wouldn't want to restructure all the code, and I thought that there should be a "global switch" to disable this kind of behavior in using string parameters in razor. Is there a way to do this?

Also can I explicitly forbid the numeric character references, for example with something like new MvcHtmlString(myString, some parameters) ?

Answer 1

I'm afraid that you cannot turn this encoding feature off. This "nice" feature is provided by the WebUtility.HtmlEncode and you cannot influence the encoding.

However with starting .net 4.0 you can customize the encoding behavior, with creating a class that inherits from the HttpEncoder and configure it in the web.cofig HttpRuntimeSection.EncoderType. But you need to implement your own custom encoding logic.

Luckily .net 4.5 ships with a new HttpEncoder which encodes the bad stuff (like <script>) however handles the Unicode characters correctly called AntiXssEncoder

So you just need to add this in your web.config:

<system.web>
    <httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder, 
                             System.Web, Version=4.0.0.0, Culture=neutral, 
                             PublicKeyToken=b03f5f7f11d50a3a"/>    
</system.web>

If you are not yet on .net 4.5 you can implement your AntiXssEncoder with the help of Microsoft Web Protection Library

Here is an article how to set it up: Using AntiXss As The Default Encoder For ASP.NET (although it might be outdated)

Answer 2

You can also use the @Html.Raw method of mvc.This is useful where you don't want to do it at global level sometimes on already built project.

@Html.Raw(@ViewBag.Title)

Answer 3

For .Net Core web application you can configure default encoding behaviour in your ConfigureServices method:

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<WebEncoderOptions>(options => 
            {
                options.TextEncoderSettings = new TextEncoderSettings(UnicodeRanges.All);
            });
}

This will render non-encoded unicode characters on the html page. Source https://github.com/aspnet/HttpAbstractions/issues/315