Nice idea to use `<% =` in WebControl

Question

Nice idea to use `<% =` in WebControl

Recently, I started using more often <%=in my web control. I usually set the String properties to Code Behind and then spit them out into the form.

It is a bad idea?

eg.

Code for:

Properties:

public string TheTitle { get; set; }
public string TheBody { get; set; }
public ContentItem TheContent { get; set; }
public string ContentId { 
  get 
    { return "content" + (TheContent != null) ? TheContent.Id.ToSTring() : "0"; }
}

Page_Load:

TheTitle = TheContentItem.Title;
TheBody = TheContentItem.Body;

On the page:

<div id='<%= ContentID %>'>    

  <h2 class='title'><%= TheTitle ?? "No Title" %></h2>
  <p><%= TheBody %></p>

</div>

+3

c # asp.net declarative

Armstrongest Sep 7 '10 at 21:15

source share

3 answers

, , XSS.

+2

Darin Dimitrov 07 . '10 21:21

, *, . - , , .

, (* , , ). , , , , ..

:. HttpUtility.HtmlEncode, ASP.NET 4, <%: , . , aspx, , . , ASP.NET MVC. <%= <%: , HTML- .

+1

Kelsey 07 . '10 21:21

kbrimington · Accepted Answer · 2010-09-07T21:19:19+0000

This is only a problem when data is not verified.

Using .NET 4 syntax <%: TheBody %>is an efficient way to encode potentially untrusted data. In earlier versions of the structure you can use <%= HttpUtility.HtmlEncode(TheBody) %>for the same effect.

Nice idea to use `<% =` in WebControl

More articles: