<%: %>這有助于保護您的應用程序和網站對注射跨站點腳本(XSS)和HTML注入攻擊,并使您能夠使用一個漂亮簡潔的語法。

HTML Encoding

Cross-site script injection (XSS) and HTML encoding attacks are two of the most common security issues that plague web-sites and applications.? They occur when hackers find a way to inject client-side script or HTML markup into web-pages that are then viewed by other visitors to a site.? This can be used to both vandalize a site, as well as enable hackers to run client-script code that steals cookie data and/or exploits a user’s identity on a site to do bad things.

注入跨站點腳本(XSS)和HTML編碼攻擊是網站和應用程序中最常見的兩種安全問題。他們發生在當黑客找到一種方法將客戶端腳本或HTML標記成網頁,然后被其他游客到網站。這可以用來摧殘一個站點,以及使黑客竊取cookie數據運行客戶端腳本代碼和/或利用網站上的用戶的身份去做壞事。

One way to help mitigate against cross-site scripting attacks is to make sure that rendered output is HTML encoded within a page.? This helps ensures that any content that might have been input/modified by an end-user cannot be output back onto a page containing tags like <script> or <img> elements.?

減輕跨站點腳本攻擊的一種方法是確保呈現在頁面輸出HTML編碼。這有助于確保任何內容,可能已經被一個終端用戶輸入/修改不能輸出返回到頁面包含標簽像<script>或< img >元素。

How to HTML Encode Content Today

ASP.NET applications (especially those using ASP.NET MVC) often rely on using <%= %> code-nugget expressions to render output.? Developers today often use the Server.HtmlEncode() or HttpUtility.Encode() helper methods within these expressions to HTML encode the output before it is rendered.? This can be done using code like below:

ASP.NET應用(尤其是使用ASP.NET MVC)往往依賴于使用<%= % > code-nugget 表達式呈現輸出。開發人員通常使用Server.HtmlEncode()或HttpUtility.Encode()輔助方法在這些表達式之前呈現HTML編碼輸出。可以使用下面的代碼:

<div class="cssContent"><%= Server.HtmlEncode(Model.Content) %> </div>

While this works fine, there are two downsides of it:
1. It is a little verbose
2. Developers often forget to call the Server.HtmlEncode method – and there is no easy way to verify its usage across an app

雖然這工作很好,但有兩個缺點: 　　
1. 它有點冗長　　
2. 開發人員常常忘記打電話給服務器。HtmlEncode方法,沒有簡單的方法來驗證其在一個應用程序使用

New <%: %> Code Nugget Syntax

With ASP.NET 4 we are introducing a new code expression syntax (<%:? %>) that renders output like <%= %> blocks do – but which also automatically HTML encodes it before doing so.? This eliminates the need to explicitly HTML encode content like we did in the example above.? Instead, you can just write the more concise code below to accomplish the exact same thing:

ASP.NET 4為我們引入一個新的代碼表達式語法(<%: %>),使輸出像<% = %>塊一樣——但也自動的HTML編碼之前這樣做。這消除了需要顯式地HTML編碼內容就像我們在上面的示例中所做的那樣。相反,您可以編寫以下更簡潔的代碼來完成同樣的事:

<div class="cssContent"><%: Server.HtmlEncode(Model.Content) %> </div>

We chose the <%: %> syntax so that it would be easy to quickly replace existing instances of <%= %> code blocks.? It also enables you to easily search your code-base for <%= %> elements to find and verify any cases where you are not using HTML encoding within your application to ensure that you have the correct behavior.

我們選擇了< %:% >語法,這樣很容易迅速取代現有的實例<% = %>代碼塊。它還使您可以輕松地搜索代碼庫為<% = %>元素來查找和驗證任何情況下,你不是在應用程序中使用HTML編碼,以確保你有正確的行為。

Avoiding Double Encoding

While HTML encoding content is often a good best practice, there are times when the content you are outputting is meant to be HTML or is already encoded – in which case you don’t want to HTML encode it again.?

雖然HTML編碼內容通常是一個好的最佳實踐,有些時候你輸出的內容是HTML或已經編碼——在這種情況下,你不想再HTML編碼。

ASP.NET 4 introduces a new IHtmlString interface(along with a concrete implementation: HtmlString) that you can implement on types to indicate that its value is already properly encoded (or otherwise examined) for displaying as HTML, and that therefore the value should not be HTML-encoded again.? The <%: %> code-nugget syntax checks for the presence of the IHtmlString interface and will not HTML encode the output of the code expression if its value implements this interface.? This allows developers to avoid having to decide on a per-case basis whether to use <%= %> or <%: %> code-nuggets.? Instead you can always use <%: %> code nuggets, and then have any properties or data-types that are already HTML encoded implement the IHtmlString interface.

ASP.NET 4介紹了一個新的IHtmlString接口(以及一個具體的實現:HtmlString),您可以實現類型來表明它的價值已經正確編碼(或檢查)顯示為HTML,因此價值不應該再次HTML-encoded。<%: %>
code-nugget語法檢查IHtmlString界面的存在,不會HTML編碼的輸出表達式如果其價值實現這個接口的代碼。這允許開發人員避免per-case的基礎上決定是否使用<%= %>和<%: %> code-nuggets。相反你總是可以使用<%: %>代碼碎塊,然后有任何屬性或數據類型已經HTML編碼實現IHtmlString接口。

Using ASP.NET MVC HTML Helper Methods with <%: %>

For a practical example of where this HTML encoding escape mechanism is useful, consider scenarios where you use HTML helper methods with ASP.NET MVC.? These helper methods typically return HTML.? For example: the Html.TextBox() helper method returns markup like <input type=”text”/>.? With ASP.NET MVC 2 these helper methods now by default return HtmlString types – which indicates that the returned string content is safe for rendering and should not be encoded by <%: %> nuggets.?

對于一個實際的例子,這個HTML編碼逃避機制是非常有用的,考慮場景使用HTML輔助方法與ASP.NET MVC。這些輔助方法通常返回的HTML。例如:Html.TextBox()輔助方法返回標記就像<input type=”text”/>。ASP.NET MVC 2現在這些輔助方法默認情況下返回HtmlString類型——這表明,返回的字符串內容是安全的渲染,不應由<%: %>編碼掘金。

This allows you to use these methods within both <%= %> code nugget blocks:

As well as within <%: %> code nugget blocks:

In both cases above the HTML content returned from the helper method will be rendered to the client as HTML – and the <%: %> code nugget will avoid double-encoding it.

This enables you to default to always using <%: %> code nuggets instead of <%= %> code blocks within your applications.? If you want to be really hardcore you can even create a build rule that searches your application looking for <%= %> usages and flags any cases it finds as an error to enforce that HTML encoding always takes place.

Scaffolding ASP.NET MVC 2 Views

When you use VS 2010 (or the free Visual Web Developer 2010 Express) to build ASP.NET MVC 2 applications, you’ll find that the views that are scaffolded using the “Add View” dialog now by default always use <%: %> blocks when outputting any content.? For example, below I’ve scaffolded a simple “Edit” view for an Article object.? Note the three usages of <%: %> code nuggets for the label, textbox, and validation message (all output with HTML helper methods):

Summary

The new <%: %> syntax provides a concise way to automatically HTML encode content and then render it as output.? It allows you to make your code a little less verbose, and to easily check/verify that you are always HTML encoding content throughout your site.? This can help protect your applications against cross-site script injection (XSS) and HTML injection attacks.?

原文：http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

轉載于:https://www.cnblogs.com/rhine/articles/3549808.html

總結

以上是生活随笔為你收集整理的New %: % Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC 2)的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。