As far as I can tell, both of these tag types do the same thing. Which is preferred to use?
Thanks for the help everyone
d m
2010-09-26 18:21:07
Thanks. Sometimes I come across a question I had but never got around to asking...
Bryce Fischer
2010-09-26 19:34:49
+1
A:
<%: %> would be preferred as it automatically HTML Encodes the value, however it only works in .NET 4.
adrift
2010-09-26 18:04:55
+2
A:
They are not the same:
<%=%> is the same as `Response.Write`
<%:%> adds `Server.HtmlEncode` to `Response.Write`
Hence, <%:%> is preferred (added since .NET 4.0), as it adds the security measure of encoding the output before outputting the string.
If you are using .NET 3.5 or before, best practice is to use <%=Server.HtmlEncode(val)%>.
Oded
2010-09-26 18:04:57
@Praveen Prasad - I believe they are supposed to be doing the same job, but in practice a bit different (not enough to cause problems, but one is stricter than the other, if memory serves).
Oded
2010-09-26 18:57:48
A:
You use " <%:" when you need to sanitize the string (i.e from something that was inputed by an user and can be potentially malicious)
Basically <&= just writes as string as it is to the HTML and <%: is the same as writing <%= Html.Encode("something") %>
Raphael
2010-09-26 18:06:25