How to use the <%$ server code %> in Asp.net pages - asp.net

I would like to know how to work with the
<%$ %>
format in aspx pages, as I see that it can be used in all kind of formats to insert server side values to controls.
How does its called?
And where can I please read about how to use it, and what are the format options in all kind of controls.
Thanks.

They are ASP.NET Expressions.
A very common usage is when using a resource file, like so
<asp:Label id="label1" runat="server" text="<%$ Resources: Messages, ThankYouLabel %>" />
Read more on them here: http://msdn.microsoft.com/en-us/library/d5bd1tad.aspx

Related

ASP.NET server tags rendered in client HTML, not values?

Maybe I've forgotten how to use these, but I am going crazy trying to inject a server-side value into an HTML output. There are reasons why I am doing this inline, and not server-side, so please don't suggest that as a solution.
This code on the server side:
<asp:Label ID="Label1" runat="server" Text='<%= DateTime.Now.ToString() %>' />;
Renders as this in the client HTML sent to the browser:
<span id="Label1"> <%= DateTime.Now.ToString()></span>;
And it displays as big fat empty space, and nothing output to the interface.
If I change the ASP source to using the "#" character to define as data-binding syntax, then the rendered output to browser becomes:
<span id="Label1"></span>
EDIT:
Setting Label text was just a simplified object for the sake of asking the question. In real life, I am setting the CssClass attribute, which does not allow me to use the "wrapping" workaround some have suggested. I wanted to set a public property and have all the controls update from it dynamically on page load.
Ideally, since I already have all the controls laid out on the aspx page. Just looking to add an attribute. I wanted to have:
<asp:textbox ID='MyTxtBox1' CssClass='<% strVal1 %>' />
<asp:textbox ID='MyTxtBox2' CssClass='<% strVal1 %>' />
<asp:textbox ID='MyTxtBox3' CssClass='<% strOtherVal %>' />
<asp:textbox ID='MyTxtBox4' CssClass='<% strVal1 %>' />
Now what it looks like I need to do is repeat all my (250+) controls on the codebehind in a block of code that looks like:
MyTxtBox1.CssClass=strVal1
MyTxtBox2.CssClass=strVal1
MyTxtBox4.CssClass=strVal1
MyTxtBox3.CssClass=strOtherVal
I believe that may not work on a compiled Web Application as it's not interpreted at run-time like a C# "Web Site". However, I was able to get it to work wrapping the label around the value:
<asp:Label runat="server"><%= DateTime.Now.ToString() %></asp:Label>
Set the Label1.Text = value instead of trying to use server side attrs inside of the server control

Escape HTML-entities and avoid HTML-injection in WebForm Label?

So, I thought I was a "veteran" ASP.NET WebForms developer; however, I came across this recently and was (unpleasantly) surprised that the output is not escaped:
<asp:Label Text='<%# Eval("UserData") %>' runat="server" />
Imaging where the Eval returns "<h1>joke is on you" or something more malicious to the correct rendering/security of the page.
The reason there is a Label instead of the <%# %> directly was so that, as incorrectly presumed, the contents of "UserData" would be correctly escaped for HTML. However, this apparently is not the case and the above scenario results in <h1> elements being created in the HTML markup.
Then the question can be distilled as:
Given arbitrary user input, that is to be presented as "plain text", what is an easy/reliable/secure method to insert data into the page (in a span) with correct escaping?
As per above, it should run in the context of a data-bound control. I am aware of HttpUtility.HtmlEncode, but I would like to entertain the idea of still using a control - perhaps there is a standard control for this task that I missed - to represent this case safely, without the need for wrapping the Eval. If this is misguided, based on logic or experience, it would be good to include in replies. I would not reject the notion that my use of Label in this case is entirely inappropriate.
Unfortunately, due to needing to run in a SharePoint 2010 context, I target ASP.NET for .NET 3.5, and not ASP.NET 4.
What about:
<asp:Label Text='<%#: Eval("UserData") %>' runat="server" />
This escapes the output of the eval, this only works in .NET 4.
For .NET 3.5 a solution can be:
CodeBehind:
public object EvalEncode(object container, string expression)
{
string ouput = DataBinder.Eval(container, expression).ToString();
return HttpUtility.HtmlEncode(ouput);
}
MarkUp:
<%# EvalEncode(Container.DataItem, "Text") %>
Instead of using HttpUtility.HtmlEncode, it's maybe better to use the AntiXSS library. For .NET 4 users it's already backed into the framework.
You could use an <asp:Literal ...></asp:Literal> control instead of the Label. The literal has a Mode property which you can use to tell the control to html encode its output.
Instead of this:
<asp:Label Text='<%# Eval("UserData") %>' runat="server" />
Try using:
<asp:Literal Text='<%# Eval("UserData") %>' Mode="Encode" runat="server"></asp:Literal>
Use the Microsoft Web Protection Library(Anti-XSS library) provided by microsoft for such purposes.
Security is hard, don't try to do it yourself. There is always be some hacker who is smarter.
You use it as follows:
<asp:Label Text='<%= Microsoft.Security.Application.AntiXss.HtmlEncode(Eval("UserData")) %>' runat="server" />

Outputting From Resource File

So I am working on localization for a website, and I have ran into many scenarios where I need to output the localized string from the resource, such as in the following markup:
<cc1:TabPanel HeaderText="<%= Culture.Strings.labelImageA %>">
<HeaderTemplate>
<img id="ImageA" runat="server"/>
</HeaderTemplate>
<ContentTemplate>
<uc2:Charter ID="CharterA" runat="server" />
</ContentTemplate>
</cc1:TabPanel>
In the instance above, I am attempting to output form the resource Culture.Strings.labelImageA but am receiving a warning that
This is not a scriplet.Will be output as plain text
Is there an escape character I can use in the markup in order to allow this to pull from the resource file? Otherwise, I will have to jump through many hoops to set this property in the code behind.
What surely works is to use binding markup <%# %>. This, however, would probably require calling DataBind manually on your control.
I doubt there exists a simpler way.

ASP.NET Code Expression, Data Binding, and other Declarative Expressoins

What are the differences in these tags?
<%
<%#
<%=
<%$
More importantly, how do I display a page property using declarative syntax in an ASP.NET control? I'm trying to do this in an ASP.NET control. The task is to set the text of a label but I do not want to do this pro grammatically in the event I want to change the output control. I get an error about server side controls can't contain this syntax. I'm not sure that I need a databound control for what I want to do but that is another option.
Partial answer coming up.
Update
There is a new tag I've seen in ASP.NET 4.5? site
<%:
Partial answer
quoted from Mike Banavige
<% %> An embedded code block is
server code that executes during the
page's render phase. The code in the
block can execute programming
statements and call functions in the
current page class.
http://msdn2.microsoft.com/en-gb/library/ms178135(vs.80).aspx
<%= %> most useful for displaying
single pieces of information.
http://msdn2.microsoft.com/en-us/library/6dwsdcf5(VS.71).aspx
<%# %> Data Binding Expression Syntax.
http://msdn2.microsoft.com/en-us/library/bda9bbfx.aspx
<%$ %> ASP.NET Expression.
http://msdn2.microsoft.com/en-us/library/d5bd1tad.aspx
<%# %> Directive Syntax.
http://msdn2.microsoft.com/en-us/library/xz702w3e(VS.80).aspx
<%-- --%> Server-Side Comments.
http://msdn2.microsoft.com/en-US/library/4acf8afk.aspx
Update:
Okay this appears to work
<asp:Label ID="MyLabel" runat="server" Text='<%# MyProperty%>'></asp:Label>
If I use the eval syntax then I get an error about databound control or I use the <% then I get a server side controls error. Any more color appreciated.. not sure I really understand what is going on.
Perhaps it has something to do with the render phase.
Few more observations:
I can use <%= without databinding and get the property value but can not use it in a server side control without getting error.
If I use <%# in server side control but I'm required to do a Page.Databind.
Interestingly, I can use either <%= or <%# when I want to render text that is not inside a control. Although the latter requires databinding.
The new <%: syntax is explained, also called code expression syntax
With ASP.NET 4 we are introducing a new code expression syntax (<%:
%>) that renders output like <%= %> blocks do – but which also
automatically HTML encodes it before doing so.
http://weblogs.asp.net/scottgu/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2
No, server-side controls can't. For example, I have a string property named SkinPath that give me the full App_Themes path to the current theme. I use it in the following way:
<img src='<%= SkinPath %>/Images/myImage.png' />
However, the following doesn't work:
<asp:Image ID='image' runat='server' ImageUrl='<%= SkinPath %>/Images/myImage.png' />
Instead, it renders the src literally in the result <img>.

<%: %> brackets for HTML Encoding in ASP.NET 4.0

Accidentally I found this post about a new feature in ASP.NET 4.0: Expressions enclosed in these new brackets <%: Content %> should be rendered as HTML encoded.
I've tried this within a databound label in a FormView like so:
<asp:Label ID="MyLabel" runat="server" Text='<%: Eval("MyTextProperty") %>' />
But it doesn't work: The text property contains script tags (for testing), but the output is blank. Using the traditional way works:
<asp:Label ID="MyLabel" runat="server"
Text='<%# HttpUtility.HtmlEncode(Eval("MyTextProperty")) %>' />
What am I doing wrong?
(On a sidenote: I am too stupid to find any information: Google refuses to search for that thing. The VS2010 Online help on MSDN offers a lot of hits, but nothing related to my search. Stackoverflow search too. And I don't know how these "things" (the brackets I mean) are officially called to have a better search term.)
Any info and additional links and resources are welcome!
Thanks in advance!
You are confusing data binding expressions, which have the syntax <%#%> and are used with Eval (and Bind) with the response output tags (<%=%> and <%:%>) that cannot be used with Eval.
Use the <%#: %> HTML encoding databinding syntax. (Notice the ':' after the '#'). For example:
Text='<%#: Eval("PropertyToEval") %>'

Resources