HTML Encoded Code Expression
Hi,
One of the new features in Asp.Net 4.0 is the inclusion of Code expressions which are HTML encoded by default. IN Asp.Net the code expression by default does not encode any text and hence it can leave the chance of Cross Site scripting attack.
In Asp.Net 4.0 we can now write expression which will get encoded by itself. For writing HTML encoded expression we need to use the following expression
<%: %>
This could have been easily done in the previous version also by using the HttpUtility.HtmlEncode method in the expression. But it has been made easy now by providing a common expression. Below is an example of same output with or without using the expression.
<%= HttpUtility.HtmlEncode(Request["UserInput"]) %>
<%: Request["UserInput"] %>
Vikram