Home/ Questions/Q 9239047
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T07:53:53+00:00

On my site every text is served as UTF-8. Since nowadays every browser supports

  • 0

On my site every text is served as UTF-8.

Since nowadays every browser supports unicode characters, I would like to use them as-is.

The asp.net framework is very helpful by replacing any unicode with a Numeric Character Reference, like á. For reference check: http://en.wikipedia.org/wiki/Unicode_and_HTML#HTML_document_characters

Sure, this way the webpage renders correctly in the oldest netscape possible, but for example the google analytics ecommerce module has some trouble understanding these specially coded characters.

Is there a way to globally disable the Numeric Character Reference encoding?

For example I want to write in razor:

<span class="title">@ViewBag.Title</span>

I would want this to show on the output:

<span class="title">Számítástechnika</span>

Not this:

<span class="title">Sz&#225;m&#237;t&#225;stechnika</span>

I’m not trying to disable the html encoding, so Html.Raw is not a solution, as for example I’m not able to ensure that the @ViewBag.Title will not content something like this:

<span class="title"><script>alert('injected hahahah');</script></span>

So I’m content with the automatic encoding of special html characters. That is not what I want to disable.

I wouldn’t want to restructure all the code, and I thought that there should be a “global switch” to disable this kind of behavior in using string parameters in razor. Is there a way to do this?

Also can I explicitly forbid the numeric character references, for example with something like new MvcHtmlString(myString, some parameters) ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m afraid that you cannot turn this encoding feature off. This “nice” feature is provided by the WebUtility.HtmlEncode and you cannot influence the encoding.

    However with starting .net 4.0 you can customize the encoding behavior, with creating a class that inherits from the HttpEncoder and configure it in the web.cofig HttpRuntimeSection.EncoderType. But you need to implement your own custom encoding logic.

    Luckily .net 4.5 ships with a new HttpEncoder which encodes the bad stuff (like <script>) however handles the Unicode characters correctly called AntiXssEncoder

    So you just need to add this in your web.config:

    <system.web>
    <httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder, 
                             System.Web, Version=4.0.0.0, Culture=neutral, 
                             PublicKeyToken=b03f5f7f11d50a3a"/>    
</system.web>

    If you are not yet on .net 4.5 you can implement your AntiXssEncoder with the help of
    Microsoft Web Protection Library

    Here is an article how to set it up: Using AntiXss As The Default Encoder For ASP.NET (although it might be outdated)

    • 0