How Does <%: ... %> Differ From <%= ... %> in ASP.Net MVC


The <%= ... %> syntax has been available in ASP.NET since the platform was first invented. Just like the equivalent syntaxes in PHP, JSP, Classic ASP, and many other platforms, it’s a way to emit dynamic values into the HTML response. But this raises a question of security: if the dynamic value may originally have been supplied by a user, how can you be sure it doesn’t contain any unwanted HTML or malicious JavaScript? The standard way to avoid any such risk is to HTML-encode the value before emitting it, which converts any special characters (e.g., <) to harmless HTML entities (e.g., &lt;) that the browser knows to treat as plain text. <%= Html.Encode(ViewData["greeting"]) %> The tricky bit is remembering to write Html.Encode() all the time, especially considering that sometimes you must not encode certain values because they may contain HTML that you do want (e.g., from HTML helper methods like Html.ActionLink(), which already take care of encoding any parameter values for you), and you can’t HTML-encode a single value twice. If you forget to use Html.Encode() on a usersupplied value, you put your entire application at risk of cross-site scripting (XSS) attacks, as detailed in Chapter 15.

To solve this difficulty, in .NET 4 Microsoft enhanced the ASP.NET page compiler (which ASP.NET MVC uses by default for its views) to support a new syntax, <%: ... %>, intended to replace <%= ... %>. The difference is that <%: ... %> automatically HTML-encodes its output, blocking the XSS risk, except when the value being rendered comes from a HTML helper, in which case it knows not to reencode the value because it’s already safe. This is a huge simplification for developers: now, all you have to do is always use <%: ... %>, and preferably have some kind of hypnosis or brain surgery to erase all memory of the older, dangerous <%= ... %> syntax.

Comments

Post a Comment

Popular posts from this blog

Hosting WCF in IIS(9 Steps)

These are the 9 Different steps to Host WCF Application in IIS. 1. Create a Strong Name File - In order to get a Public Key 2. Copy the DLL in the Bin Folder to the Global Assembly Folder 3. Get the name including PublicKeyToken of the DLL eg: Test.WCF, Version=1.0.0.0, Culture=neutral, PublicKeyToken=someToken - Get it from the Properties of the DLL in the Global Assembly Cache - 4. Add it to the svc File eg: <%@ServiceHost Language="C#" Debug="true"   Service="Test.WCF.TestService,Test.WCF,   Version=1.0.0.0, Culture=neutral, PublicKeyToken=51dc0966f715a3f8" %> 5. Create a New Folder in IIS (intpub/wwwroot) 6. Copy the essential files from the project folder to the created New Folder 7. Set Permission to the folder via IIS 8. Run resetiis command 9. Test the Web Service
Read more

Difference between IEnumerator and IEnumerable

IEnumerator is an interfaces. An IEnumerator is a that can enumerate. It has 2 methods (MoveNext and Reset) and a property Current. To use IEnumerator is if you want a nonstandard way of enumerating (not iterating one-by-one) and want to define custom iteration. You create a new class implementing IEnumerator. Code Snippet:     public class MyCustomIterate:IEnumerator     {         public object Current         {             get { throw new NotImplementedException(); }         }         public bool MoveNext()         {             throw new NotImplementedException();         }         public void Reset()         {             throw new NotImplementedException();         }     } IEnumerable   is also an interfaces. An IEnumerable is that can be enumerated. It has just one method called GetEnumerator that returns an enumerator that iterates through a collection. When you implement enumerator logic in any of your collection class, you need to implement I
Read more

MVC and MVVM Architecture

What is MVVM? MVVM is Model View ViewModel. Its a design pattern used widely with Silverlight and WPF applications. We can say it as a successor of MVC pattern. In MVC - Model View Controller , now controller is the view model. View-Model is responsible for exposing the data objects from the Model in such a way that view objects are easily managed and consumed. Why should I use MVVM? 1. MVVM is a great design paatern for UI. 2. Using MVVM you write better, lesser and more manageable code. 3. Being layered changes in UI/views donot majorly affect the other layers. 4. Using MVVM you can create a simple, testable, robust framework on which any WPF/Silverlight applications can thrive. Difference between MVC and MVVM: In MVC input is directed at the Controller first, not the view. Its a Controller that is interfaced with to kick off some functionality. There is a many-to-one relationship between the Controller and the View. That's because a single controller may select di
Read more