ASP.NET <%= %> vs <%: %> - asp.net

It seems I am missing something. But ever since .Net 4.0 came out I have been seeing reference to <%: %> syntax for ASP.NET. It seems like it is similar to <%= %> but clearly there is a reason for the new syntax. I tried google but searching <%: %> doesn't seem to return anything. What does the <%: %> syntax do? Was it introduced in .Net 4.0 or 3.5? Can someone enlighten me?
Edited: Please provide reference or examples

i believe the <%: %> is auto HtmlEncoding
this post from Scott Gu will help to explain - it was introduced in .net 4 and MVC2
http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

: does html encoding.
Scott Guthrie has a nice post describing it in detail.
Don't use this where it is already encoded otherwise it will double encoded it. This is useful if you want to output things like HTML, though.

Related

What are the difference between <%: and <%= in ASP .NET MVC 3

I'm just wondering, the only difference I know is that the <%= symbols generates any possible html tags that's included with the string your planning to display, while <%: just display what the string exactly look like. If anyone can help me with this, I will greatly appreciate it.
Pretty good explanation from Scott Gu - New <%: %> Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC 2)
Excerpt:
ASP.NET applications (especially those using ASP.NET MVC) often rely on using <%= %> code-nugget expressions to render output. Developers today often use the Server.HtmlEncode() or HttpUtility.Encode() helper methods within these expressions to HTML encode the output before it is rendered. This can be done using code like below:
<div>
<%= Server.HtmlEncode(Model.Content) %>
</div>
While this works fine, there are two downsides of it:
It is a little verbose
Developers often forget to call the Server.HtmlEncode method – and there is no easy way to verify its usage across an app
New <%: %> Code Nugget Syntax
With ASP.NET 4 we are introducing a new code expression syntax (<%: %>) that renders output like <%= %> blocks do – but which also automatically HTML encodes it before doing so. This eliminates the need to explicitly HTML encode content like we did in the example above. Instead, you can just write the more concise code below to accomplish the exact same thing:
<div>
<%: Model.Content %>
</div>
The two inline code tags are essentialy the same, the only difference being that <%: %> will automatically use encoding. So this:
<%: myText %>
is equivalent to this:
<%= Html.Encode(myText) %>
The former is recommended.
<%: is HtmlEncoded. Code Nuggets for asp.net
With ASP.NET 4 we are introducing a new code expression syntax (<%: %>) that renders output like <%= %> blocks do – but which also automatically HTML encodes it before doing so.
From Scott Gu blog:
With ASP.NET 4 we are introducing a new code expression syntax (<%:
%>) that renders output like <%= %> blocks do – but which also
automatically HTML encodes it before doing so. This eliminates the
need to explicitly HTML encode content like we did in the example
above. Instead, you can just write the more concise code below to
accomplish the exact same thing:
http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

WebForms view engine documentation?

I have maybe very very Simple Question:
Where i can find documentation about expressions and syntax of WebForms view engine?
And what is the difference between
<%: expression %>
and
<%= expression %>
?
in advance thanks for reply
<%: expression %> renders the content with HTML encoding, whereas <%= expression %> renders it as is.
See Scott Guthrie's post New <%: %> Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC 2) for more info.
i ve got it:
http://msdn.microsoft.com/en-us/library/fy30at8h(VS.71).aspx

What is the difference between <%: and <%= in ASP.NET MVC?

I can't find this info anywhere. Probably because Google is ignoring the keywords. Is there a difference between using <%: and <%= in your aspx page? They seem interchangeable.
<%: %> is a new thing in ASP.NET MVC 2. It is the same as <%= Html.Encode("Text") %>. It is recommended to always use <%: %> unless you have some specific reason to not do so (for example, you are rendering data from some file or database that's already been encoded).
The difference is :
<%= "my <text>" %> will output my <text>, which is incorrect HTML
<%: "my <text>" %> will output my <text>, which is better
More details here
#ntcolonel is right on the money. Additionally, for cases where your data has already been encoded, provide it using anything implementing IHtmlString. This prevents double-encoding, and allows you to always use <%: %>.
I believe that ASP.NET 4 shops should gravitate toward enforcing <%: %> by policy.
Also, the new syntax is for ASP.NET 4 in general; not necessarily just MVC, which is great news for WebForms developers.

What does the new <%: %> encoding syntax in Visual Studio 2010 do?

Scott Hanselman's latest blog entry about the new VS 2010 features mentions "the new <%: %> encoding syntax". What does it do? Searching for these tags with google doesn't seem to be possible...
Thanks,
Adrian
It outputs HTML with the entities encoded. It's short-hand for
<%= HttpUtility.HtmlEncode("Some string") %>
Furthermore, it can be extended to do extra cool stuff, like protecting the output against XSS, as Phil Haack demonstrated.
Phil Haack, Scott Guthrie and Scott Hanselman have blogged extensively about new and improved features in .NET 4.
It will automatically HTML-encode the enclosed expression.
So...
<%: yourString %>
... is equivalent to ...
<%= HttpUtility.HtmlEncode(yourString) %>
See the following MSDN link for more info:
HTML Encoded Code Expressions
Actually this Google search lead me to this explanation of Scott Guthrie.
I think it ensures that the text contained inside is sanitized, so that java script can't be injected into the page
so if you have
userdata = alert ("textstring")
<%= userdata %>
will show a messagebox in on the page
<%: userdata %>
will show the text 'alert ("textstring")'
Its purpose is to help prevent against XSS attacks via encoding the HTML.

Html Encoded Code Expressions

In ASP.NET 4.0
should I use new syntax <%: expression %> or 2.0 <%= HttpUtility.HtmlEncode(expression) %>
Less keystrokes, less chance to make a mistake, easier to read => use the first option.
That's sort of like asking if you should do this:
<%= DateTime.Now %>
or this
<% Response.Write(DateTime.Now) %>
There's no right answer, but one certainly looks better to me.

Resources