0

Is there a way to detect if an HTML page contains any razor/C# code? Essentially I want users to be able to provide custom layouts, with tags that I will replace with RenderSection. I want to validate that prior to making this replacement, that none of the HTML contains anything like for example, <a href="@(some C# code)".

All discussions about alternative ways to do this, should/could/would aside, just simply: Is there a way to programmatically detect if a file contains C#/Razor code?

Improve this question
2
  • I am not aware of any such code. In order to restrict the templates to only use HTML, could you simply force your template files to be contained within .html files, instead of accepting .cshtml files? I don't think ASP.NET MVC will allow Razor code in HTML-only files. Commented Jan 24, 2013 at 19:14
  • This is true, but they are intended to become layout pages so that users can specify the layout of their page. At some point I've got to take their "body goes here", "scripts go here" tags(I'll tell them the markup for these magic tags) and replace them with the @section's from the view. It seems the easiest way to do this is just replace the magic tags with RenderSection and then set the page as the layout. This will leverage the existing layout engine nicely, and avoid me re-inventing the wheel. To make it safe, I want to neuter the page of C#, before adding RenderSection. Commented Jan 24, 2013 at 22:34

3 Answers 3

Reset to default
2

I don't know a lot about the Razor markup -- but I am thinking that when you grab the layout string they are passing in you will want to parse the text out and grab everything that starts with an @ and toss those words into an array. Then, when you republish it to you website use razor code to access the data in the array...

Alternately, and easier, would be to go through all the passed in code and replace all the @ signs with a different symbol say & that way it wont get interpreted by the Razor processor:

layoutString = layoutString.Replace('@', '&');

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

+1 Yes, it occurred to me that maybe just replacing all @ with the HTML char code &#64; might do the trick. That would essentially neuter the page and at the same time hopefully preserve the display, assuming no inline javascript existed that would break as a result. I can always request that any javascript be externalized to avoid that problem.
I thought about doing to char code instead of the & symbol but I wasn't 100% sure how Razor would interpret it. If you know the start and end codes for the javascripts you want to allow you should be able to disable your replace method during that section of javascript. Either route you take make sure you test it to be sure no bad code is getting through and good code getting lost.
0

In the browser? No, because unless the programmer made a mistake, there is no Razor/C# code in teh rendered HTML, only HTML that was the result of that.

What you ask is like asking what type of oven was used to bake a pizza from the pizza. Bad news - you never will know.

If you provie sensible tags from those, you could parse them in javascript, but you have to output that metadata yourself as part of the generated html.

Improve this answer

1 Comment

No not in the browser. Programmatically server side, look at a file and determine if it has any Razor/C#. This is prior to it ever being rendered. I am hoping there is some API on the Razor Engine, maybe like a tokenizer or something that I could use to detect.
0

After reading your comment to TomTom; the answer is:

No. Razor does not come with any public syntax parser.

Improve this answer

5 Comments

Well, it kinda does in the new builds - the entire AST parser is available.
That you can use in runtime to detect if a file in your project does not contain any razor code as requested in the question?
you can re-host the parser, yes. We make use of it during a custom tool we wrote that executes as a build-step and simply scans the files in turn, running them though the razor parser.
Cool. Then my guess is that you are already preparing a proper answer.
@Marc I see the MSDN docs for the System.Web.Razor.Parser namespace, is that what you are referring to? I'm guessing RazorParser.Parse( is probably a good starting point? Or do you have to create a ParserContext usually? I know I'm getting a bit out of scope of the question, but if you can suggest a starting point I'd appreciate it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.