Just returned home from the Orlando Code Camp with my 3 children who were real troopers for joining me on the trip. We woke up at 4:30am for a 2+ hour drive so I could speak about What’s New in ASP.NET 4 at 8:30am.

I realized on my ride home that I neglected to mention Html Encoded Code Expressions as a new feature in ASP.NET 4. It was in my code and listed in the tutorials, but somehow in the excitement of mentioning the other ASP.NET 4 Features it got overlooked. Hence, I thought I would follow-up with a quick blog post to remedy the situation.

Html Encoded Code Expressions is a handy way to eliminate javascript injection in your web applications. So often developers forget that input from various 3rd party sources, like user input and the database, is evil and should never be trusted. Any data displayed on a browser, for example, should be properly encoded to assure it doesn’t run malicious scripts.

When you display data to a browser you will sometimes use the following code expression:

<%= data %>

If the data were somehow injected with javascript in addition to its value, such as “<script>alert(‘Hello’);</script>javascript injected”, you will get a very unwelcome javascript dialog box displaying hello in addition to the text being displayed on the screen.

If instead you were to use the new HTML Encoded Code Expression in ASP.NET 4, which replaces “=” with “:” as such:

<%: data %>

The result would be a properly encoded string which would cause the script to not be run, but instead displayed as text on the browser: “<script>alert(‘Hello’);</script>javascript injected”.

You can try the difference yourself. Put the following two statements in the source of your ASP.NET 4 Page and watch <%= … %> execute the javascript while the other, <%: … %>, encodes the javascript as text:

<%= “<script>alert(‘Hello’);</script>javascript injected” %>
<%: “<script>alert(‘Hello’);</script>javascript injected” %>

If you attended the Sarasota Web Developer Group, we went over this new ASP.NET 4 Feature in detail.

Hope this helps.

David Hayden

The Sarasota Web Developer Group is having our second meeting this Wednesday, March 24, 2010 at 6pm. We have two presentations and a tool spotlight:

• Presentation 1: Build ASP.NET MVC Contact Manager from Scratch
• Tool Spotlight: Castle ActiveRecord, SQLite, and NHProf
• Presentation 2: Get RAD with DynamicData

You can get the full details as well as register at:

• Leveraging ASP.NET MVC – Web Forms – DynamicData – Castle ActiveRecord

You can also download our monthly newsletter.

See you there!

David Hayden

The other day I commented on how the IIS 7 URL Rewriter can be a neat way to transition your legacy ASP.NET Web Forms URL’s consisting of querystrings to a more RESTful, searchengine-friendly syntax. Actually, this can either be 1) a more transitory solution until you move to the new ASP.NET 4 Web Forms Routing or ASP.NET MVC, or 2) a permanent solution if you have a legacy application that you don’t plan to upgrade but want the cleaner routing.

After about 15 minutes of playing with the URL Rewriter I was pretty amazed at how quickly and easily one can clean up the inbound at outbound URL’s using it.

I created a page on my localhost that displayed products for a particular category for an e-commerce website and accepted the category as a querystring parameter as such:

http://localhost/products.aspx?category=bikinis

I wanted to map this URL for both inbound and outbound links to something cleaner, like:

http://localhost/category/bikinis

My thought was that this would be a fair amount of work, but in reality the IIS 7 URL Rewriter makes this a breeze.

Once you have installed the IIS 7 URL Rewriter you have the ability to add a rule, and in this specific case, a User-friendly URL, that is located under the header, Inbound and Outbound Rules.

Now this is where it gets slick. One enters the original URL and then chooses a more User-friendly URL from a dropdown and lets the URL Rewriter handle the rest. If, of course, you want more control you can pick another rule, but this worked perfectly for what I had in mind.

After you save the rule, your inbound routes will work correctly for any category as such:

http://localhost/category/bikinis

http://localhost/category/tshirts

http://localhost/category/hats

Also, all links to this page within the website will automagically be converted from the old querystring URL to the more searchengine-friendly URL on your behalf, no work required. Very, very slick.

If you could benefit from more searchengine-friendly URL’s, the IIS 7 URL Rewriter is worth a look. I was pretty impressed with what I could do in just 15 minutes. After a bit more understanding, I’ll definitely be showing it off at a future Sarasota Web Developer Group Meeting.

David Hayden

As I mentioned we are learning the new enhancements in ASP.NET 4 and ASP.NET 4 Web Forms from scratch at the Sarasota Web Developer Group. At the first meeting we talked about many of the new enhancement in ASP.NET 4 Web Forms, including the new enhancements in ASP.NET 4 Web Forms Routing.

GetRouteUrl

In my last post I neglected to mention the Control.GetRouteUrl Method in System.Web.UI as a way to get routes from the route name and various route parameters. Using the following route from the previous post:

public class Global : System.Web.HttpApplication
{
    void Application_Start(object sender, EventArgs e)
    {
        RegisterRoutes(RouteTable.Routes);
    }

    void RegisterRoutes(RouteCollection routes)
    {
        routes.MapPageRoute(
            "Contact_Details",                  // Route Name
            "Contacts/Details/{id}",          // Url and Parameters
            "~/Contacts/Details.aspx"     // Page Handling Request
            );
    }
}

One can get the route for a particular contact inside a Page_Load Event, for example, by calling GetRouteUrl on the Page as follows:

protected void Page_Load(object sender, EventArgs e)
{
    var route = GetRouteUrl("Contact_Details", new { id = 1 });
}

The value of route in this case will be “/Contact/Details/1″.

GetRouteUrl when DataBinding in Grid

The GetRouteUrl Method is particularly useful in a Grid when you want to display a list of contacts with a link to the details of each. Shown below is just a snippet of the Grid source code where I am using GetRouteUrl with the proper Route Name and Parameters within the NavigateUrl Property of the HyperLink:

<asp:TemplateField>
    <ItemTemplate>
        <asp:HyperLink
            ID="HyperLink1"
            runat="server"
            NavigateUrl='<%# GetRouteUrl("Contact_Details", new {id = Eval("Id") }) %>'
            Text='<%# Eval("Id") %>'>
        </asp:HyperLink>
    </ItemTemplate>
</asp:TemplateField>

Conclusion

I’ll be posting about other topics presented at the group. If you live in the area, please come out and attend the second meeting focusing on ASP.NET MVC, DynamicData, Castle ActiveRecord, and more. I’ll also be presenting What’s New in ASP.NET 4 at the Orlando Code Camp.

David Hayden