Do you use <%: %> or <%= %> for html helpers in ASP.NET MVC 2.0?

Question

I know they now have this in ASP.NET MVC 2.0 <%: Model.CustomerName %>

So when you make HTML helpers is it better to use this way now (provided that you do not want to do HTML encoding)?

Answer 1

Yes, you always want to use <%: Model.CustomerName %> from now on where you can. Only in very specific cases should you use <%= %> but try not to use it at all.

If you are creating your own html helpers that you don't want to be encoded, then just return a MvcHtmlString from them.

E.g. This is a extension method I created to display a tick icon if the passed in value is true.

public static MvcHtmlString MECross(this HtmlHelper html, string value, string text)
{
    if (Convert.ToBoolean(value))
    {
        string spanTag = string.Format("<span class=\"replace icon-cross\" title=\"{0}\"><em></em>{1}</span>",
                                        html.AttributeEncode(text),
                                        html.Encode(text));

        return MvcHtmlString.Create(spanTag);
    }

    return MvcHtmlString.Empty;
}

Note that I Encode and AttributeEncode anything that could be dangerous in my extension method and then return a MvcHtmlString.

HTHs,
Chares

Answer 2

Using <%: %> should be used whenever you display user entered/submitted data to make your web pages safer.

But sometimes it's just not viable to HTML encode everything. What if you do want to preserve some HTML formatting? In this case you will have to use the regular <%= %> statement. Let's think of an example where this is the case.

Real-life example

Let's say you have some web content where users can submit their comments. You would like to provide the ability to preserve some formatting (at least line breaks). In this case you will have to preserve <br/> elements when later displaying these comments. You have two choices:

1. Cleanup and format comments when you store them in the DB - in this case you would strip all HTML tags from submitted comments and then replace all new lines (\n) with <br/>. When you would like to display this comment you could then call <%= Comment %>
2. Cleanup and format comments when you display them - in this case you would most probably call this <%= Html.Encode(Comment).Replace("\n", "<br/>") %>

Which one is better/safer depends on each particular case, but cleaning up HTML tags is always a nice step to include in any of the two. Everything also depends on allowed formatting definition. Should those be entered as regular tags or something similar to markdown or something completely different depends on you and the code in the end will most certainly depend on it.

Second approach advantages/disadvantages

• advantage
  Let's say that you do provide some formatting capabilities but after about a year or so you decide to change formatting rules or something related to them (which is quite common). If you use the second approach the new rules will work with old comments as well, because they were stored as is, while the first approach will loose its significance with old data. One example would be if you'd auto-detect web links in these comments in the cleanup/formatting phase. Using the first approach all links in old comments would stay unclickable, but if you used the second one even older comments with links would format them as clickable.
• disadvantage
  Second approach uses much more processing than the first one, because every comment would have to be preprocessed each time it's displayed, while in the first approach they're processed only once when we store them in the DB. Depending on the formatting/cleanup complexity and quantity of comments on each page this may become significant.
  If processing does become a problem you should think of an alternative to use first approach, but while cleaning up and re-formatting the comment you'd save both versions in your DB. Original submitted comments as well as processed ones. So when you do change formatting rules you can always reformat old comments because you stored originals.