---
title: Output Encoding For Dynamic JS/JSON
impact: HIGH
impactDescription: prevents injection in JavaScript contexts
tags: xss, javascript, json, encoding, security, csharp
---

## Output Encoding For Dynamic JS/JSON

Embedding user data in JavaScript or JSON blocks in Razor pages requires proper encoding.

**Incorrect (unescaped data in JS):**

```csharp
// XSS in Razor
<script>
    var user = "@Model.Username"; // Vulnerable if Username contains quotes
</script>
```

**Correct (proper JSON encoding):**

```csharp
// Use Json.Serialize in Razor
<script>
    var user = @Json.Serialize(Model.Username); // Encodes quotes and special chars
</script>

// Or encode explicitly in C#
var safeJson = JsonConvert.SerializeObject(userData); // Newtonsoft
var safeJson = JsonSerializer.Serialize(userData); // System.Text.Json
```

**Tools:** Roslyn Analyzers, SonarQube