Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why I need to Stop Using <%= … %> For Rendering and Start Using <%: … %> in Asp.net?

Tags:

asp.net

I read somewhere that I should stop using <%= … %> to render and start using <%: … %>.

Can anyone explain what are differences between <%= … %> and <%: … %>, and what are advantages of using one or another?

Here is the slidedeck I am reading

http://ssmith-presentations.s3.amazonaws.com/ASPNET_TipsTricksTools_April2010.zip

Here are the links you can get more information from

http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

http://haacked.com/archive/2009/11/03/html-encoding-nuggets-aspnetmvc2.aspx

like image 257
Ybbest Avatar asked May 05 '10 22:05

Ybbest


People also ask

What is partial page rendering in asp net?

Partial-page rendering removes the need for the whole page to be refreshed as the result of a postback. Instead, only individual regions of the page that have changed are updated. As a result, users do not see the whole page reload with every postback, which makes user interaction with the Web page more seamless.

What is page rendering in asp net?

Page rendering - At this stage, view state for the page and all controls are saved. The page calls the Render method for each control and the output of rendering is written to the OutputStream class of the Response property of page.

What is Server HTMLEncode?

The HTMLEncode method applies HTML encoding to a specified string. This is useful as a quick method of encoding form data and other client request data before using it in your Web application. Encoding data converts potentially unsafe characters to their HTML-encoded equivalent.


2 Answers

Actually it is a short version of <%=Server.HtmlEncode(string) %>

See this link

http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

It is better practice in order to avoid Javascript attacks etc. So if someone adds a comment to your blog for example which has say an iframe html or javascript in it then it will be rendered exactly as typed and not with the JS or iframe actually working.

like image 177
Richard Avatar answered Sep 20 '22 07:09

Richard


Basically, <%: will HTML encode the result, while <%= won't. This helps prevent XSS attacks. You can read more about it in this series of blog posts by Phil Haack.

like image 44
R. Martinho Fernandes Avatar answered Sep 21 '22 07:09

R. Martinho Fernandes