Reputation: 1550
Why I need to Stop Using <%= … %> For Rendering and Start Using <%: … %> in Asp.net?
I read somewhere that I should stop using <%= … %> to render and start using <%: … %>.
Can anyone explain what are differences between <%= … %> and <%: … %>, and what are advantages of using one or another?
Here is the slidedeck I am reading
http://ssmith-presentations.s3.amazonaws.com/ASPNET_TipsTricksTools_April2010.zip
Here are the links you can get more information from
http://haacked.com/archive/2009/11/03/html-encoding-nuggets-aspnetmvc2.aspx
Upvotes: 13
Views: 191
Answers (2)
Reputation: 234554
Basically, <%: will HTML encode the result, while <%= won't. This helps prevent XSS attacks. You can read more about it in this series of blog posts by Phil Haack.
Upvotes: 4
Reputation: 22026
Actually it is a short version of <%=Server.HtmlEncode(string) %>
See this link
It is better practice in order to avoid Javascript attacks etc. So if someone adds a comment to your blog for example which has say an iframe html or javascript in it then it will be rendered exactly as typed and not with the JS or iframe actually working.
Upvotes: 11
Related Questions
- What is the difference between <% %> and <%=%>?
- What are the difference between <%: and <%= in ASP .NET MVC 3
- What is the difference between <%: and <%= in ASP.NET MVC?
- What is difference between <%=%> and <%#%>
- Difference between <%: %> and <%#: %> in Asp.Net
- In ASP.NET MVC what are the differences between "<%=", "<%:" "<%#"
- What's the difference between <%# %> and <%= %>?
- In ASP.NET MVC, what is the difference between <%= and <%:?
- In MVC, when do you use <%= %> and <% %>?
- When should <%# ... %> and <%= ... %> be used?