Hi,
Scott Hanselman's latest blog entry about the new VS 2010 features mentions "the new <%: %> encoding syntax". What does it do? Searching for these tags with google doesn't seem to be possible...
Thanks,
Adrian
+1
A:
I think it ensures that the text contained inside is sanitized, so that java script can't be injected into the page
so if you have
userdata = alert ("textstring")
<%= userdata %>
will show a messagebox in on the page
<%: userdata %>
will show the text 'alert ("textstring")'
Sam Holder
2010-04-16 08:47:55
+4
A:
It will automatically HTML-encode the enclosed expression.
So...
<%: yourString %>
... is equivalent to ...
<%= HttpUtility.HtmlEncode(yourString) %>
See the following MSDN link for more info:
LukeH
2010-04-16 08:48:10
+8
A:
It outputs HTML with the entities encoded. It's short-hand for
<%= HttpUtility.HtmlEncode("Some string") %>
Furthermore, it can be extended to do extra cool stuff, like protecting the output against XSS, as Phil Haack demonstrated.
Phil Haack, Scott Guthrie and Scott Hanselman have blogged extensively about new and improved features in .NET 4.
alastairs
2010-04-16 08:48:10
+1
A:
Actually this Google search lead me to this explanation of Scott Guthrie.
Prutswonder
2010-04-16 08:49:08
This leads me to the next question: I wonder why google doesn't give any results for "<%: %>" although that string is right in the title and header of the page...
Adrian Grigore
2010-04-16 09:12:32
Your're right, it was a lucky search, the "<%: %>" keyword wasn't used, so Google showed the results for "asp.net 4 new syntax". Google doesn't support escaping of punctuation characters and I haven't found a workaround for it, sorry.
Prutswonder
2010-04-16 09:23:11
certainly not your fault. Thanks for the link though :-)
Adrian Grigore
2010-04-16 15:49:26
A:
Its purpose is to help prevent against XSS attacks via encoding the HTML.
AJM
2010-04-16 08:58:40