Is there a risk of use @Html.Raw? It seems to me that it should not be. If there is a risk, then this risk will not exist regardless of the @Html.Rawfact that modern browsers, such as Chrome, will allow you to edit the injection <script>malicious()</script>or even change the action of submitting the form to something else.
@Html.Raw
<script>malicious()</script>
@Html.Rawwill allow to execute any script that is on the displayed value. If you want to prohibit use@Html.AttributeEncode
@Html.AttributeEncode
Right, the risk is how it is used. There is Html.Rawno risk. This is a tool, nothing more.
Html.Raw
, @Html.Encode().
, displaying non-user eneterd data, @Html.Raw()
displaying non-user eneterd data