Home/ Questions/Q 8769883
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T17:26:55+00:00

Can I securely replace Environment.NewLine with <br /> like I am in the following

  • 0

Can I securely replace Environment.NewLine with <br /> like I am in the following extension method?

public static string HtmlBreaks(this string s)
{
    if (string.IsNullOrEmpty(s)) { return s; }
    return s.Replace(Environment.NewLine, "<br />");
}

I use it like this:

@Html.Raw(Model.Details.HtmlBreaks())

And let me be clearer. Is this secure? Am I breaking any internet security guidelines by replacing text with HTML and then issuing the Raw method? Am I opening this website up to any attacks by this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is not secure. Take the example text of the details containing:

    <script>alert('a')</script>

    The HTML.Raw will output that as a script tag and the browser will execute the script. If the user provides the details text, this allows them to inject script into your page (A basic XSS attack).

    If you want to replace the newlines with <br> do it in your view. For example, my controller might look like this:

    MyModel model = new MyModel();
model.Description = "Hello \r\n how are you today \r\n <script>alert('a')</script> \r\n";
return View(model);

    In my view, I can do this:

    @{ var lines = Model.Description.Split('\r');
   foreach (var line in lines)
   {
       @line.Trim() <br />
   }
 }
    • 0