Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why I need to Stop Using <%= … %> For Rendering and Start Using <%: … %> in Asp.net?

Tags:

asp.net

I read somewhere that I should stop using <%= … %> to render and start using <%: … %>.

Can anyone explain what are differences between <%= … %> and <%: … %>, and what are advantages of using one or another?

Here is the slidedeck I am reading

http://ssmith-presentations.s3.amazonaws.com/ASPNET_TipsTricksTools_April2010.zip

Here are the links you can get more information from

http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

http://haacked.com/archive/2009/11/03/html-encoding-nuggets-aspnetmvc2.aspx

like image 257
Ybbest Avatar asked May 05 '10 22:05

Ybbest

People also ask

What is partial page rendering in asp net?

Partial-page rendering removes the need for the whole page to be refreshed as the result of a postback. Instead, only individual regions of the page that have changed are updated. As a result, users do not see the whole page reload with every postback, which makes user interaction with the Web page more seamless.

What is page rendering in asp net?

Page rendering - At this stage, view state for the page and all controls are saved. The page calls the Render method for each control and the output of rendering is written to the OutputStream class of the Response property of page.

What is Server HTMLEncode?

The HTMLEncode method applies HTML encoding to a specified string. This is useful as a quick method of encoding form data and other client request data before using it in your Web application. Encoding data converts potentially unsafe characters to their HTML-encoded equivalent.

2 Answers

Actually it is a short version of <%=Server.HtmlEncode(string) %>

See this link

http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

It is better practice in order to avoid Javascript attacks etc. So if someone adds a comment to your blog for example which has say an iframe html or javascript in it then it will be rendered exactly as typed and not with the JS or iframe actually working.

like image 177
Richard Avatar answered Sep 20 '22 07:09

Richard

Basically, <%: will HTML encode the result, while <%= won't. This helps prevent XSS attacks. You can read more about it in this series of blog posts by Phil Haack.

like image 44
R. Martinho Fernandes Avatar answered Sep 21 '22 07:09

R. Martinho Fernandes
Sign in to Comment

Related questions

How are developers using source control, I am trying to find the most efficient way to do source control in a small dev environment
Using FindControl() to find control
How does ASP.NET MVC know how to fill your model to feed your Controller's Action? Does it involve reflection?
Problem setting SUBSCRIBE QUERY NOTIFICATIONS
JsonResult or Json: which to use?
what's differences between "forms timeout", "membership userIsOnlineTimeWindow" and "sessionState timeout"
How to use ConfigurationManager Class in a Class Library Project type
404 Redirecting for non aspx pages
gzip compression in Windows Azure Websites
Thread.CurrentPrincipal.Identity in ASP .NET - is it safe to use
Catch 404 errors in Asp.net Web API
Must be Placed Inside a Form Tag With runat=server
Stop debugging Visual Studio 2013 when browser closes
Asp.NET Identity Custom SignInManager
How can I convert date time format string used by C# to the format used by moment.js?
Deploying dotnet core to Heroku
How to solve ASP.NET Web API CORS Preflight issue when using PUT and DELETE requests with multiple origins?
ASP.NET: Check if run from migration
Can "classic" ASP.NET pages and Microsoft MVC coexist in the same web application?
Using Entity Framework as Data Access Layer

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!