How dangerous is it to let users specify RazorEngine templates?

Question

I have mail-merge like functionality, which takes a template, some business object, and produces html which is then made into PDF.

I\'m using RazorEngine to do the t

Answer 1

A cshtml Razor file is able to execute any. NET code in the context of the site so yes, it is a security risk to permit them to be supplied by users.

You would be better served by accepting a more general HTML template, with custom tokens to input Model data.