I'm new to ASP.NET MVC. I've seen both <%= ... %>and <%: ... %>. I'm familiar with the first from classic ASP days, but not the latter. What is the difference between the two?
Using <%: tells ASP.NET 4.0 to perform a Server.HtmlEncode() on the value being displayed. Whereas using <%=, it is up to the developer to use Server.HtmlEncode(). Note HtmlEncode() helps void cross-scripting attacks.
发布评论
评论(3)
<%= %>- 相当于经典 ASP 中的response.write。<% %>- 表示一个代码块,if、then else、foreach等。<%: %>- 这是一个新的快捷方式.NET 4,这表示<%= html.encode(item) %>解释该快捷方式的视频链接(这是一个短片):
<%= %>- equivalent to response.write in classic ASP.<% %>- represents a code block, if, then else, for each, etc.<%: %>- this is a shortcut new to .NET 4, this represents<%= html.encode(item) %>Link to video explaining the shortcut (it's a short clip):
使用 <%:告诉 ASP.NET 4.0 对显示的值执行 Server.HtmlEncode()。
而使用 <%= 时,则由开发人员决定是否使用 Server.HtmlEncode()。
注意 HtmlEncode() 有助于避免跨脚本攻击。
有关详细信息,请参阅 ScottGu 的帖子 此处。
Using <%: tells ASP.NET 4.0 to perform a Server.HtmlEncode() on the value being displayed.
Whereas using <%=, it is up to the developer to use Server.HtmlEncode().
Note HtmlEncode() helps void cross-scripting attacks.
For more info, see ScottGu's post here.
<%:表达式%>是一个 HTML 编码表达式,在 ASP.NET 4 中引入,
相当于 <%= HttpUtility.HtmlEncode(expression) %>
请访问此处了解更多详细信息。
<%: expression %> is an HTML encoded expression and was introduced in ASP.NET 4
It is equivalent to <%= HttpUtility.HtmlEncode(expression) %>
Go here for more detail.