How do I automatically escape output in ASP.NET MVC?
In .NET 4 Microsoft added a new syntax <%: … %> which you might have started seeing in recent examples. This syntax is designed to replace the old <%= … %> syntax. The difference is that it automatically escapes output unless it comes from an HTML helper.
This makes the developers life a lot easier. Prior to .NET 4.0, you needed to remember when to use Html.Encode() to escape the output.
<%= Html.Encode(ViewData["name"]) %>
<%= Html.ActionLink("Home") %>
If you forgot you could leave your site vulnerable to cross-site scripting attacks. The following code is a security risk.
<%= ViewData["name"]) %>
With .NET 4 you can automatically escape the output by using the new syntax:
<%: ViewData["name"] %>
<%: Html.ActionLink("Home") %>
Now you no longer need to remember when to escape output and when not to.
Post A Comment:
0 comments: