Is there any way to use a custom html helper with the <%: %> syntax ?
I know that if i'm use the code below, it's ok, but it's seems not so elegant and secure.
<%= Html.MyHelper("Some Data")%>
I mean, use <%= %> is the best practices?
Have your helper return an MvcHtmlString instead of a string. Also, please use <%: as much as possible.
HTML helpers create HTML, which is normally expected to be output raw with <%= %>. If you used <%: %> to HTML-escape the output of an HTML helper, you'll see the HTML source it produced on the page as text (eg literally <input name="foo" value="bar"> on-screen), which is probably not what you want.
It is up to the helper to HTML-escape any text content inside them, for safety. Yes, if you write a custom HTML helper and get it wrong—forgetting to HTML-encode strings your helper is putting in text content or attribute values in the output—you'll have security holes. You need to know what you're doing with escaping to write an HTML helper.
Microsoft, unfortunately, apparently don't, as the very first example in their tutorial completely fails:
return String.Format("<label for='{0}'>{1}</label>", target, text);
Whoops. Hope those ID and text strings didn't come from untrusted data!
[why are web tutorials always so lamentably terrible at escaping issues?]
Related
I'm using EJS as a part of my front-end dev stack.
For example my normal index.ejs looks like that:
<%- include parts/header.ejs %>
<%- include parts/navigation.ejs %>
<!-- HTML content: divs, spans, etc. -->
<%- include parts/footer.ejs %>
What I want is to pass somehow a variable with the include <%- include parts/footer.ejs?variable=value %> and want to read it in the included file, to conditionally show/hide some parts of the content.
I can't find the way to do it. Is it possible with EJS?
Two ways to do this:
Dumb Way
This way is compatible with EJS 1.0, and has the advantage of being compile-time.
Just declare the variables right before includeing.
Example:
included.ejs:
<p><%= variable %></p>
main.ejs:
<% var variable = 'hola' %>
<% include included %>
Smart Way
This method is only available with EJS 2.0 or newer, but might be marginally slower (or a lot slower if caching is not enabled) than the last method:
included.ejs:
<p><%= variable %></p>
main.ejs:
<%- include('included', {variable: 'hola'}) %>
As the title suggests I am trying to resolve a localisation string inside a repeater. I have a wysiwyg editor to input some html on the form tab of the document type, so the source would look like this
Field1: "{$localstring$}"
Then in the transformation I have
<li><%# Eval("Field1") %></li>
This outputs the string as
{$localstring$}
and doesn't resolve this as a macro and go lookup the localstring in the UI culture localisation.
I have tried different things including
<%# Eval(CMS.GlobalHelper.ResHelper.LocalizeString("Field1")) %>
and
<%# Eval(CMS.CMSHelper.CMSContext.CurrentResolver.ResolveMacros("Field1")) %>
all of which give the same output, can anyone point me in the right direction? I am sure it's the way Eval is being called.
Thanks in advance.
in case somebody else searches for this: if you want to use localization string custom.my-string in ASPX transformation, you should resolve it as follows:
<%# CMS.CMSHelper.CMSContext.CurrentResolver.ResolveMacros("{$custom.my-string$}") %>
note: no spaces! if you add spaces like this: "{$ custom.my-string $}" - it WILL NOT work.
The correct syntax is following:
<%# CMS.CMSHelper.CMSContext.CurrentResolver.ResolveMacros(Eval("Field1").ToString()) %>
I used zf2 to design a website.
And the form is something like this:
$this->add(array
'options'=>array(
'label'=> 'title1'))
And finally it shows like this:
<form>
<fieldset>
<legend>title1</legend>
<label>****</label>
</fielset>
</form>
Now, I wanna add a link or an image after the title1, for example:
<form>
<fieldset>
<legend>title1<a href=''>link</a></legend>
<label>****</label>
</fielset>
</form>
How can I do this?
You can't. Well, at least not without overwriting the specific ViewHelper (probably formCollection()). In ZF2 all Labels are run through the Zend\View\Helper\EscapeHtml ViewHelper. Therefore using any sort of HTML inside Labels is not supported in any way.
While going by specification it may be allowed to use inline-elements inside the <legend> Element, semantically it looks a little different. The <legend> shall do nothing but to describe the contents of the <fieldset>.
Anyways, opinions aside, as i've mentioned, you'll have to overwrite the ViewHelper and then skip the use of the EscapeHtml ViewHelper, as it's done in this line of the formCollection() Code
I have a (simple) question for my own curiosity:
I'd like to find out how Rails prefill forms with posted values like... you know, when there's a validation error on some models' attributes then you do something like "render :edit" and the form is magically prefilled.
What exactly are the mechanisms that Rails use to do such a thing? I didn't manage to find any documentation on this subject and I'd like to understand the magic.
So if someone can give me some explanations on this subject, I'll be glad to read that!
Thanks!
[Edit] And a subsidiary question: when a model inherits from another (STI) do we have to do something in particular to prefill forms?
You are mostly using the form_for helper in this style:
<%= form_for #person do |f| %>
<!-- Some more stuff here -->
<%= f.text_field :first_name %><br />
<!-- Some more stuff here -->
<% end %>
What this essentiall does is, it generates a text field that is filled with the value of #person.first_name.to_s. When an error happens, #person.first_name is filled with the errornous value. If you create a person (#person = Person.new), then #person.first_name.to_s is "".
So rails just fills the text field with the value, the attribute has.
f by the way is a rails FormBuilder. It's methods are documented here, if you want to take a closer look at the source.
Having just started with MVC 2 I notice that in their starter template they use
<%: Html.ActionLink("Home", "Index", "Home")%>
and I was sure that in MVC 1 it was
<%= Html.ActionLink("Home", "Index", "Home")%>
Are they the same thing? If so, why the change from equal sign to colon.
the colon syntax means you'll be html encoded automatically: http://haacked.com/archive/2009/09/25/html-encoding-code-nuggets.aspx
They couldn't just html encode all the existing <%= blocks, because things that are already properly encoded (which is hopefully most of the projects out there) would look strange.
<%= is used for writing to the output buffer.
<%: is used for writing to the output buffer, after HTML Encoding the content... Unless the IHtmlString Interface has been implemented on the returned object.
Scott Guthrie has an excellent post on this topic:
http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx
If the output has already been escaped, double encoding can be prevented by implementing the IHtmlString Interface on the returned object. http://msdn.microsoft.com/en-us/library/system.web.ihtmlstring.aspx
ASP .NET 4 introduced the <%: syntax which encoded the output before rendering it to the screen. ASP MVC already was encoding this but to be more explicit they began using the syntax as well to make it clear that whenever you see the <%: you can be sure the output will be properly encoded.