Geek Answers Handbook

Should I always use <%: instead of <% =

I know that <%: does the html.encode thing, but there are many situations where I am sure that I do not need to code, so why should I spend time on coding, which I am 100% sure that it does not require coding, for example, <%:Url.Action("Index") %> or <%: Model.Id %> (has int type)?

+6
source share
6 answers

Personally, I use it only for those things that, as I know, should be encoded. You do not need to use it for integer types <%: Model.Id %> , but this is only a personal preference.

+3
source

Code Nugget : is part of the ASP.NET 4.0 web compiler and doesn’t just call Html.Encode() . It turns out whether the first line has already been encoded (if the expression returns IHtmlString , then it probably will not be encoded).

This means that it is safe to use it when pasting actual data or when pasting HTML from some type of helper method (if you are writing your own helper methods, they should always return IHtmlString as from MVC 2).

As for whether you always use it, of course, you do not. But I would rather not think too much about it and would be happier, knowing that I had a little trouble repulsing the XSS attacks with little effort; so I almost always use it.

It also recommends that you return the MvcHtmlString from your HTML helpers, not string .

+8
source

One example where you would rather not use <%: for strings that come from your resource file containing HTML escape characters. I don’t think you can make an expression on the blanket that you should always use <% :.

+4
source

<%: model %> equivalent to <%= Html.Encode(model)%>

using <%: saves keystrokes and improves performance,

but sometimes you have to do <%= (not to encode what you show on your page)

+1
source

One of the benefits of coding for HTML is that it makes W3C pages valid according to the corresponding data type. So, why validate a document in the first place?

To answer this question, please check: http://validator.w3.org/docs/why.html

Briefly checking HTML saves a lot of time later in the development cycle and its good practice.

0
source

It’s easier if you use only one type and makes the code cleaner. In addition, you never know who will change the code and make a simple statement β€œ100%”, not so 100% expression :-)

Usually in a web environment, performance on such things is not a problem.

I would suggest using "<%:" as a guide to developing a team. just to be safe.

0
source

More articles:


All Articles