Scott Hanselman's latest blog entry about the new VS 2010 features mentions "the new <%: %> encoding syntax". What does it do? Searching for these tags with google doesn't seem to be possible...
Thanks,
Adrian
It outputs HTML with the entities encoded. It's short-hand for
<%= HttpUtility.HtmlEncode("Some string") %>
Furthermore, it can be extended to do extra cool stuff, like protecting the output against XSS, as Phil Haack demonstrated.
Phil Haack, Scott Guthrie and Scott Hanselman have blogged extensively about new and improved features in .NET 4.
It will automatically HTML-encode the enclosed expression.
So...
<%: yourString %>
... is equivalent to ...
<%= HttpUtility.HtmlEncode(yourString) %>
See the following MSDN link for more info:
HTML Encoded Code Expressions
Actually this Google search lead me to this explanation of Scott Guthrie.
I think it ensures that the text contained inside is sanitized, so that java script can't be injected into the page
so if you have
userdata = alert ("textstring")
<%= userdata %>
will show a messagebox in on the page
<%: userdata %>
will show the text 'alert ("textstring")'
Its purpose is to help prevent against XSS attacks via encoding the HTML.
Related
I'm just wondering, the only difference I know is that the <%= symbols generates any possible html tags that's included with the string your planning to display, while <%: just display what the string exactly look like. If anyone can help me with this, I will greatly appreciate it.
Pretty good explanation from Scott Gu - New <%: %> Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC 2)
Excerpt:
ASP.NET applications (especially those using ASP.NET MVC) often rely on using <%= %> code-nugget expressions to render output. Developers today often use the Server.HtmlEncode() or HttpUtility.Encode() helper methods within these expressions to HTML encode the output before it is rendered. This can be done using code like below:
<div>
<%= Server.HtmlEncode(Model.Content) %>
</div>
While this works fine, there are two downsides of it:
It is a little verbose
Developers often forget to call the Server.HtmlEncode method – and there is no easy way to verify its usage across an app
New <%: %> Code Nugget Syntax
With ASP.NET 4 we are introducing a new code expression syntax (<%: %>) that renders output like <%= %> blocks do – but which also automatically HTML encodes it before doing so. This eliminates the need to explicitly HTML encode content like we did in the example above. Instead, you can just write the more concise code below to accomplish the exact same thing:
<div>
<%: Model.Content %>
</div>
The two inline code tags are essentialy the same, the only difference being that <%: %> will automatically use encoding. So this:
<%: myText %>
is equivalent to this:
<%= Html.Encode(myText) %>
The former is recommended.
<%: is HtmlEncoded. Code Nuggets for asp.net
With ASP.NET 4 we are introducing a new code expression syntax (<%: %>) that renders output like <%= %> blocks do – but which also automatically HTML encodes it before doing so.
From Scott Gu blog:
With ASP.NET 4 we are introducing a new code expression syntax (<%:
%>) that renders output like <%= %> blocks do – but which also
automatically HTML encodes it before doing so. This eliminates the
need to explicitly HTML encode content like we did in the example
above. Instead, you can just write the more concise code below to
accomplish the exact same thing:
http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx
Is there a particular name for <% and %>.
Scott Gu calls these Code Nuggets.
So thats what I go with.
http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx
<% %> is usually referred to as a "server-side code block" or "code rendering blocks".
http://quickstarts.asp.net/QuickstartV20/aspnet/doc/pages/syntax.aspx
Which is different from <%# %>, which is a "databinding code block"
and <%$ %> is an 'expression code block'. (introduced in .NET 2.0)
They were nick named a long time ago as Yellow Tags, because of how Visual Studio highlighted them in yellow.
I think they are just called delimiters.
It seems I am missing something. But ever since .Net 4.0 came out I have been seeing reference to <%: %> syntax for ASP.NET. It seems like it is similar to <%= %> but clearly there is a reason for the new syntax. I tried google but searching <%: %> doesn't seem to return anything. What does the <%: %> syntax do? Was it introduced in .Net 4.0 or 3.5? Can someone enlighten me?
Edited: Please provide reference or examples
i believe the <%: %> is auto HtmlEncoding
this post from Scott Gu will help to explain - it was introduced in .net 4 and MVC2
http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx
: does html encoding.
Scott Guthrie has a nice post describing it in detail.
Don't use this where it is already encoded otherwise it will double encoded it. This is useful if you want to output things like HTML, though.
I have maybe very very Simple Question:
Where i can find documentation about expressions and syntax of WebForms view engine?
And what is the difference between
<%: expression %>
and
<%= expression %>
?
in advance thanks for reply
<%: expression %> renders the content with HTML encoding, whereas <%= expression %> renders it as is.
See Scott Guthrie's post New <%: %> Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC 2) for more info.
i ve got it:
http://msdn.microsoft.com/en-us/library/fy30at8h(VS.71).aspx
I can't find this info anywhere. Probably because Google is ignoring the keywords. Is there a difference between using <%: and <%= in your aspx page? They seem interchangeable.
<%: %> is a new thing in ASP.NET MVC 2. It is the same as <%= Html.Encode("Text") %>. It is recommended to always use <%: %> unless you have some specific reason to not do so (for example, you are rendering data from some file or database that's already been encoded).
The difference is :
<%= "my <text>" %> will output my <text>, which is incorrect HTML
<%: "my <text>" %> will output my <text>, which is better
More details here
#ntcolonel is right on the money. Additionally, for cases where your data has already been encoded, provide it using anything implementing IHtmlString. This prevents double-encoding, and allows you to always use <%: %>.
I believe that ASP.NET 4 shops should gravitate toward enforcing <%: %> by policy.
Also, the new syntax is for ASP.NET 4 in general; not necessarily just MVC, which is great news for WebForms developers.