asp.net mvc tags: <%: %> vs. <%= %>

As far as开发者_Python百科 I can tell, both of these tag types do the same thing. Which is preferred to use?

It calls an HtmlEncode on the value

See ScottGu's blog for more info.

They are not the same:

<%=%> is the same as `Response.Write`
<%:%> adds `Server.HtmlEncode` to `Response.Write`

Hence, <%:%> is preferred (added since .NET 4.0), as it adds the security measure of encoding the output before outputting the string.

If you are using .NET 3.5 or before, best practice is to use <%=Server.HtmlEncode(val)%>.

<%: %> would be preferred as it automatically HTML Encodes the value, however it only works in .NET 4.

<%: someString %>

is like

<%= HttpUtility.HtmlEncode(someString) %>

You use " <%:" when you need to sanitize the string (i.e from something that was inputed by an user and can be potentially malicious)

Basically <&= just writes as string as it is to the HTML and <%: is the same as writing <%= Html.Encode("something") %>