For example, in full framework ASP.NET, whenever you output data in a razor file it automatically gets html encodeded.
@Model.Data, @DisplayFor(x => x.Data)
If data contains some possibly dangerous characters, such as -'"<><, the html encoding presumably prevents this from ever being interpreted as code. If i look at the source of a response returning -'"<><, it will say -'"<><.
How exactly is this html dencoding done in the browser? Does it happen after the all javascript has been run, and all the callbacks have been registered? Is there any way to turn off automatic html decoding in browsers?