Search
Close this search box.

<%: %>, HtmlEncode, IHtmlString and MvcHtmlString

One of my colleague and friend, Robin is playing and struggling with the ASP.NET MVC 2 on a project these days while I’m struggling with a annoying client. Since it’s his first time to use ASP.NET MVC he was meetings with a lot of problem and I was very happy to share my experience to him. Yesterday he asked me when he attempted to insert a <br /> element into his page he found that the page was rendered like this which is bad.

He found his <br /> was shown as a part of the string rather than creating a new line. After checked a bit in his code I found that it’s because he utilized a new ASP.NET markup supported in .NET 4.0 – “<%: %>”.

If you have been using ASP.NET MVC 1 or in .NET 3.5 world it would be very common that using <%= %> to show something on the page from the backend code. But when you do it you must ensure that the string that are going to be displayed should be Html-safe, which means all the Html markups must be encoded. Otherwise this might cause an XSS (cross-site scripting) problem. So that you’d better use the code like this below to display anything on the page.

In .NET 4.0 Microsoft introduced a new markup to solve this problem which is <%: %>. It will encode the content automatically so that you will no need to check and verify your code manually for the XSS issue mentioned below. But this also means that it will encode all things, include the Html element you want to be rendered. So I changed his code like this and it worked well.

After helped him solved this problem and finished a spreadsheet for my boring project I considered a bit more on the <%: %>. Since it will encode all thing why it renders correctly when we use “<%: Html.TextBox(“name”) %>” to show a text box? As you know the Html.TextBox will render a “<input name=”name” id=”name” type=”text”/>” element on the page. If <%: %> will encode everything it should not display a text box. So I dig into the source code of the MVC and found some comments in the class MvcHtmlString.

// In ASP.NET 4, a new syntax <%: %> is being introduced in WebForms pages,
// where <%: expression %> is equivalent to
// <%= HttpUtility.HtmlEncode(expression) %>. The intent of this is to reduce
// common causes of XSS vulnerabilities in WebForms pages (WebForms views in the
// case of MVC). This involves the addition of an interface
// System.Web.IHtmlString and a static method overload
// System.Web.HttpUtility::HtmlEncode(object).  The interface definition is
// roughly:
//   public interface IHtmlString {
//     string ToHtmlString();
//   }
// And the HtmlEncode(object) logic is roughly:
//   - If the input argument is an IHtmlString, return argument.ToHtmlString(),
//   - Otherwise, return HtmlEncode(Convert.ToString(argument)).
//
// Unfortunately this has the effect that calling <%: Html.SomeHelper() %> in an
// MVC application running on .NET 4 will end up encoding output that is already
// HTML-safe. As a result, we're changing out HTML helpers to return
// MvcHtmlString where appropriate. <%= Html.SomeHelper() %> will continue to
// work in both .NET 3.5 and .NET 4, but changing the return types to
// MvcHtmlString has the added benefit that <%: Html.SomeHelper() %> will also
// work properly in .NET 4 rather than resulting in a double-encoded output. MVC
// developers in .NET 4 will then be able to use the <%: %> syntax almost
// everywhere instead of having to remember where to use <%= %> and where to use
// <%: %>. This should help developers craft more secure web applications by
// default.
//
// To create an MvcHtmlString, use the static Create() method instead of calling
// the protected constructor.

The comment said the encoding rule of the <%: %> would be:

  • If the type of the content is IHtmlString it will NOT encode since the IHtmlString indicates that it’s Html-safe.
  • Otherwise it will use HtmlEncode to encode the content.

If we check the return type of the Html.TextBox method we will find that it’s MvcHtmlString, which was implemented the IHtmlString interface dynamically.

That is the reason why the “<input name=”name” id=”name” type=”text”/>” was not encoded by <%: %>. So if we want to tell ASP.NET MVC, or I should say the ASP.NET runtime that the content is Html-safe and no need, or should not be encoded we can convert the content into IHtmlString. So another resolution would be like this.

Also we can create an extension method as well for better developing experience.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace ShaunXu.Blogs.IHtmlStringIssue {
  public static class Helpers {
    public static MvcHtmlString IsHtmlSafe(this string content) {
      return MvcHtmlString.Create(content);
    }
  }
}

Then the view would be like this.

And the page rendered correctly.

Summary

In this post I explained a bit about the new markup in .NET 4.0 – <%: %> and its usage. I also explained a bit about how to control the page content, whether it should be encoded or not. We can see the ASP.NET MVC gives us more points to control the web pages.

Hope this helps,

Shaun

This article is part of the GWB Archives. Original Author: Shaun Xu

Related Posts