On the ListView1_ItemDataBound of a list view event, i create the literal.text like so...
<span style="position:relative;">
style="position:relative">
<span id="term1" class="popup">This id="term1" class="popup">This is the answer!</span>
Show me the answer</span>
The problem is that the text is not rendered as it should. On mousing over the literal control the url is
http://localhost:1391/"javascript:void(0);"onMouseover="ShowPop('term1');"
So what is going on here? What am i missing?
UPDATE1:
Here is the source from the browser
<span style="position:relative;"> <span id="term1" class="popup">This is the answer!</span> <a href="javascript:void(0);" onMouseover="ShowPop('term1');" onMouseout="HidePop('term1');">Show me the answer</a></span>
UPDATE2:
And here is the output from the screen
This is the answer Show me the answer
where...
Show me the answer is the hyperlink to http://localhost:1391/"javascript:void(0);"
You are missing a space between the end of the href attribute and the onMouseOver attribute.
Update: (following comment)
When hovering over a link, some browsers will show you where the href attribute points. In this case this would be "javascript:void(0);". Some will append the host URL to this preview, some will not.
Update 2: (following update to answer)
Looks like the framework is HTML Encoding the strings you are using. Make sure you set the Mode property of the literal control to LiteralMode.PassThrough.
Update 3: (following some testing)
I tried locally using string with quotes and had no problem. Are you sure you are not HTML encoding before setting the text property, or that it isn't coming in encoded? Try HTML decoding before setting the text property.
Related
<a title="xyz" rel="simplemodal[examples]" href="images/x_big.jpg">
Right now, I'm clicking a pic which is allowing me to open a big image (modal window) with the above line and, with the title xyz but, I also want a link (for example, google)?
Thanks!
Edited-
I think my question was wrongly interpreted or I didn't ask correctly anyway..
Right now when I click on a small pic, I get a modal window with the bigger version of the same pic and, a title (xyz) on top of it.
I want to know how can I add a link to some website in the same line of code. I'm confused as a href is already used above!
Thanks!
Add target="_blank"
<a title="xyz" rel="simplemodal[examples]" href="images/x_big.jpg" target="_blank">
Add attribute target and set it to: _blank like here:
<a target="_blank" title="xyz" rel="simplemodal[examples]" href="images/x_big.jpg">
You can use target="_blank" property,
Link Text
The target attribute specifies where to open the linked document.
<a target="_blank|_self|_parent|_top|framename">
More about target attributes,
_blank Opens the linked document in a new window or tab
_self Opens the linked document in the same frame as it was clicked (this is default)
_parent Opens the linked document in the parent frame
_top Opens the linked document in the full body of the window
framename Opens the linked document in a named frame
Can we tag a single html element with multiple "itemprop" properties? I'm working on something for micro data tagging.(schema.org)
<asp:HyperLink ID="hlnk10" itemprop="url" itemprop ="manufacturer" runat="server"> </asp:HyperLink>
The hyperlink Text contains both properties I want to tag
Is this possible as per schema.org standards?
Thanks in advance.
My reading of the specification leads me to the conclusion that you can
have just one itemprop attribute per element but it can have more than
one value.
"Every HTML element may have an itemprop attribute specified... The
itemprop attribute, if specified, must have a value that is an
unordered set of unique space-separated tokens that are
case-sensitive, representing the names of the name-value pairs that it
adds. The attribute's value must have at least one token."
http://www.whatwg.org/specs/web-apps/current-work/multipage/microdata.html#names:-the-itemprop-attribute
You might try the nu validator or a microdata parser to test your code
and make sure you're getting the output you expect.
So instead of <span itemprop="name" itemprop="description"> you would use <span itemprop="name description">
Google's Rich Snippet Testing Tool may not be able to handle multiple itemprop values, yet, though.
I don't know what that asp will generate, but I think you want output more like this:
<span itemprop="manufacturer">The Name</span>
In order to get access to the text content of the link you add an extra span. The value of an a element will always just be the value of its href attribute. Adding an extra span to get access to the text content of a link is a common pattern.
I have some text coming from xml file text reads as &li;br/ > which after Html.Decode becomes <br/> but since i am not using any server controls this gets displayed as <br/> text rather than a page break. Any clues.
Based upon your comment you are assigning the text <br/> to the InnerText property of a variable instance of the class HtmlGenericControl.
Your problem is the text is escaped (try viewing the source of the rendered page) so that it renders as text. Use the InnerHtml property instead to write out pre-formatted HTML in a HtmlGenericControl instance.
There are much better ways (and nicer ways) but
text.Replace("<br/>",vbCrLf) 'VB
or
text.Replace(#"<br/>","\n") //C#
Set InnerHtml of HtmlGenericControl instead of innerText
http://msdn.microsoft.com/en-us/library/7512d0d0%28v=vs.71%29.aspx
In my markup I am using HTML title attributes which I set by the Tooltip property of various ASP.NET controls like an asp:Label. The content of those titles come from a database and I use data binding syntax, for instance:
<asp:Label ID="PersonLabel" runat="server"
Text='<%# HttpUtility.HtmlEncode(Eval("PersonShortName")) %>'
ToolTip='<%# HttpUtility.HtmlEncode(Eval("PersonFullName")) %>' />
Now, tooltips seem to be displayed as plain text on Windows and in the browsers I have tested. So the HTML-encoding is not what I really want and I am inclined to remove the encoding.
Can this be dangerous in any way if the database fields may contain script tags for example? My question is basically: Is it always guaranteed that HTML-title attributes are displayed as plain text? Are they always displayed as tooltips at all, or is it possible that some browsers (or OSs) display them in another way and allow and render HTML content in the title attributes?
Edit:
Looking at some of the answers it seems I didn't phrase my question well, so here are some additions:
If I have in the code snippet above a PersonShortName of "PM" in my database and as the PersonFullName a name with non-ASCII characters in it like Umlauts in "Peter Müller" the browser displays in the tooltip Peter Müller when I apply HttpUtility.HtmlEncode like in the code example - which is ugly.
I've also tested a simple HTML fragment like:
<span title="<script>alert('Evil script')</script>" >Hello</span>
The script in the title attribute didn't run in a browser with enabled Javascript (tested with Firefox), instead it was displayed in the tooltip as plain text. Therefore my guess was that title attributes are always rendered as plain text.
But as Felipe Alsacreations answered below there exist "rich tooltip plugins" which may render the title attribute as HTML. So in this case encoding is a good thing. But how can I know that?
Perhaps HttpUtility.HtmlEncode isn't the right solution and I have to filter only HTML tags but not encode simple special characters to make sure that the plain text is displayed correctly and to protect "rich HTML tooltips" at the same time. But it looks like a costly work - only for a simple tooltip.
Always sanitize output to the browser.
If a value like "><script>blabla</script> is inserted as a value for your fields, a user can essentially take over your entire site. It will probably make a mess when it comes to validation and correct code, but the script will still be run.
So to answer your question: No, it is not guaranteed that HTML-title attributes are displayed as plain text if the user knows what he/she is doing.
Beside security reasons:
Title attributes should always be plain text but certain JS plugins misuse them to display 'rich' tooltips (i.e. HTML code with bold text, emphasis, links and so on).
As for browsers and AFAIK they are displayed as plain text and tooltips, never displayed to those who use tabbed navigation (keyboard) and scren readers give to their users (blind and partially sighted people) many options, like reading the longest between link title and its text or always title or never ...
Surprisingly, still, no right answer in 5 years. The answer is: yes, you need to encode the title attribute, but not everything that is encoded in the innerText of the element.
The proper way to do it in asp.net if you do your own markup is:
string markup = string.Format("<div class='myClass' title='{0}'>{1}</div>",
System.Web.HttpUtility.HtmlAttributeEncode(myText),
System.Web.HttpUtility.HtmlEncode(myText));
The above will set both innerText and title of the div to myText, which is customary for elements that may contain long text but are constrained in width (as I believe the question implies).
The ToolTip property of a ASP.NET control will auto encode the value on output/rendering.
This means it is safe to set the tooltip to plain text as the page will sanitize the text on rendering.
Label1.ToolTip = "Some encoded text < Tag >"
Renders HTML output as:
<span title="Some encoded text < Tag >"></span>
If you need to use text that is already encoded, you can set the title attribute instead. The title attribute will not be automatically encoded on rendering:
Label1.Attributes("title") = "Some encoded text < Tag >"
Renders HTML output as:
<span title="Some encoded text < Tag >"></span>
Another point:
Who cares how the title attribute is rendered by a browser, when it is the presence of malicious strings in the source code that could present an issue?
It doesn't matter how it is displayed, the question is: how does it appear in the source code?
(As already stated, if you're pumping strings to the client, do something to sanitize those strings.)
I think there may be some confusion going on with this thread.
Firstly <asp:Label> is an ASP.NET Web Control. The Text and ToolTip attributes are "abstractions" of the inline content and 'title' attributes of an HTML tag respectively.
For these particular two properties Microsoft will perform the HTML Encoding for you automatically so if you set ToolTip="H&S<" then the <span> tag will be rendered as <span title="H&S<"...>. The same goes for the Text property.
NOTE: Not all properties perform automatic encoding (HTML or InnerContent properties for example)
If however you are generating HTML tags directly (Response.Write("<span...") for example) then you MUST http encode the text content and tooltip attributes content if:
Those values originate from a user / external unsanitised source or
If there is a possibility that the content may contain characters that should be escaped (& < > etc.)
Usually this means that it is safe to to:
Hardcoded content with no http characters:
Response.Write("<span title='Book Reference'>The art of zen</span>"); // SAFE
Hardcoded content with http characters that you manualle encode:
Response.Write("<span title='Book & Reference'>The art & zen</span>"); // SAFE
Dynamically sourced content:
Response.Write("<span title='"+sTitle+"'>"+sText+"</span>"); // UNSAFE
Response.Write("<span title='"+HttpUtility.HtmlEncode(sTitle)+"'>" +HttpUtility.HtmlEncode(sText)+"</span>"); // SAFE
Please help me to get text (non html/ not formatted) from ajax text editor in asp.net i am using vs 2008.
i am using AjaxControlToolkit.HTMLEditor
you can see same kind of at : ajax HtmlEditor
Well, the documentation on the page you linked to only shows that the HTMLEditor has a Content property, which is the html text, not the plain text. However, the editor itself, on the page, allows you to view either the rendered html, or the html code (the markup).
The editor uses an <iframe> to contain the rendered html. If you want to get the plain text (no html tags), you'll have to do it on the clientside. The <iframe> has an id. You could use something like jquery to do this:
var plainText = $("#iframeID body").text();
$("#someHiddenField").val(plainText);
As long as someHiddenField is an <asp:HiddenField> control, it will contain the plain text of the editor when you post back. You just need to make sure you make the above assignment after you're done editing the HTMLEditor's content, but before you actually post back.
UPDATE
I answered another similar question, and my first answer might not actually get the text of the <iframe>. Try this:
var text = $("#iframeID").contents().find("body").text();
$("#ctl00_cpMainContent_Editor1_ctl02_ctl00").contents().find("body")[0].innerHTML