New <%:%> syntax for HTML coding in ASP.NET 4 and ASP.NET MVC 2

This is the nineteenth article in the series on VS 2010 and .NET4.

Today's post covers a small, but very useful feature, the new syntax functionality introduced in ASP.NET 4, allows you to automatically encode HTML right in the code block.

HTML coding

Cross-site scripting (XSS) and weak HTML coding attacks are the two most common security issues that plague websites and applications. They occur when hackers find a way to implement a client script that steals cookie data or uses the user's identity on the site to cause harm.
')
The only way to eliminate cross-site attacks is to make sure that everything is HTML-encoded as output. All this ensures that the content entered or given to the user cannot be returned with tags such as <script> and <img>.

How does HTML coding happen today?

ASP.NET applications (especially those using ASP.NET MVC) often rely on an expression in a <% =%> block of code. Today, developers most often use the Server.HtmlEncode () or HttpUtility.Encode () helper methods to encode HTML before it is displayed on the screen. Here is a sample code:



The code will work without problems, but there is always a “but”:

1. The expression is verbose
2. Developers often forget to call the Server.HtmlEncode method and there is no easy way to make sure that encoding is used.

New code block <%:%>

With ASP.NET 4, we present a new code expression (<%:%>), which works like the <% =%> block, but additionally automatically encodes HTML. The new block eliminates the need to explicitly HTML-encode the content, as we did in the example above. Instead, you simply write the compressed code as shown below:



We have chosen the syntax <%:%>, so it will be enough just to replace the existing instances of the code blocks <% =%>.

Avoid re-encoding.

Since HTML coding is a common practice, there are situations where your result has already gone through coding and you do not want to re-encode it.

ASP.NET 4 introduces the new IHtmlString interface (along with a specific implementation: HtmlString), which you can implement over types, determining whether the value was encoded for display as HTML, and therefore the value should not be re-HTML-encoded. The <%:%> code block checks for the presence of the IHtmlString interface and will not re-HTML-encode the result if the value implements this interface. This allows developers to avoid the problem of choosing what to use <% =%> or <%:%>.

Use HTML helper ASP.NET MVC methods with <%:%>

Now I want to show the practical use of HTML coding, consider the scenario where you use HTML helper methods in ASP.NET MVC. These methods most often return HTML. For example, the Html.TextBox () helper method returns the following <input type = ”text” /> markup. In ASP.NET MVC 2, these helper methods have become the default to return an HtmlString , which indicates that the returned content is safe to draw and should not be encoded in <%:%>

This allows you to use methods in the same way as in <% =%>:



So in the <%:%> block:



In any case, the HTML content returned by the helper method will be rendered on the client as HTML and <%:%> will not re-encode it.

If you are a real hardcore player, then you have the opportunity to create a build rule that looks for <% =%> in your application and marks them as errors, thereby forcing you to use HTML coding.

Scaffolding in ASP.NET MVC 2 views

When you use VS 2010 (or free Web Developer 2010 Express) to build ASP.NET MVC 2 applications, you will find that views generated using “Add View” use <%:%> for text labels, fields, and error messages (all that is displayed using HTML helper methods):

Results

The new <%:%> syntax provides a compact version of automatic HTML encoding of content and output to the screen. It allows you to make the code less verbose and be sure that all the data passing through your site is HTML-encoded. All this will protect your application from XSS and HTML injections.