.NET 4.0中使用Attributes.Add编码时单引号 [英] .Net 4.0 is encoding single quote when using Attributes.Add
问题描述
.NET 4.0中被编码的单引号,当我使用Attributes.Add客户端事件添加到我的asp.net的对象。在previous版本的这种情况没有发生。
例如:
< ASP:图像=服务器ID =imgTest的ImageUrl =〜/ DateControl / cal.gif/>
imgTest.Attributes.Add(的onmouseover,警报('你好'));
当我查看客户端的输出,我正在
< IMG ID =ctl00_MainContent_calFromTimeStamp1_imgTest的onmouseover =警报(安培;#39;你好&安培;#39;),SRC =../ DateControl / cal.gif风格=边框宽度:0px; />
我找到了一个解决方法通过创建自定义的连接codeR:创建自定义编码程序但我不想停下来,整个网站就因为这个问题的编码。任何人有一种变通方法或如何解决这个问题的想法?
由于Franzo的链接,其中下面的答案是复制和粘贴:
您可以通过创建一个这样的类关闭属性编码:
公共类HtmlAttributeEncodingNot:System.Web.Util.HttpEn codeR
{
保护覆盖无效HtmlAttributeEn code(字符串值,System.IO.TextWriter输出)
{
output.Write(值);
}
}
和下加入这web.config中:
<的httpRuntime EN coderType =HtmlAttributeEncodingNot/>
这给了我,我需要控制。
然而,现在我们必须考虑新的控制可能取决于新 标准4.0的行为,而不是连接code单引号,因此它仍然 不完善,不,比不完善糟糕的是:安全性更差,因为 我们不知道是怎么回事,在那里,所以它不是一个伟大的解决方法 真的。
我想,只有微软能够正确解决这个问题。其他建议 需要在这里的HtmlAttributeString类:链接< /一>如果有 有这样一类和Attributes.Add可以采取这样一个对象 对于其价值的参数,然后我们将有我们所需要的控制 试。
.Net 4.0 is encoding single quotes when I am using Attributes.Add to add client side events to my asp.net objects. In the previous versions this didn't happen.
for example :
<asp:Image runat="server" ID="imgTest" ImageUrl="~/DateControl/cal.gif" />
imgTest.Attributes.Add("onmouseover", "alert('Hello')");
When I view the client side output, I am getting
<img id="ctl00_MainContent_calFromTimeStamp1_imgTest" onmouseover="alert('Hello')" src="../DateControl/cal.gif" style="border-width:0px;" />
I found a workaround by creating a custom encoder : creating custom encoding routines but I don't want to stop the encoding for the whole website just because of this issue. Anybody got a workaround or an idea of how to fix this?
Thanks to Franzo's link, where the following answer is copied and pasted:
You can turn off attribute encoding by creating a class like this:
public class HtmlAttributeEncodingNot : System.Web.Util.HttpEncoder
{
protected override void HtmlAttributeEncode(string value, System.IO.TextWriter output)
{
output.Write(value);
}
}
and adding this to web.config under :
<httpRuntime encoderType="HtmlAttributeEncodingNot"/>
This gives me the control I need.
However, now we must worry that new controls may depend on the new standard 4.0 behaviour and not encode single quotes, so it's still imperfect, nay, worse than imperfect: security is even worse, because we don't know what is going on where, so it's not a great workaround really.
I think only Microsoft can fix this properly. Others have suggested the need for an HtmlAttributeString class here: link If there were such a class and Attributes.Add could take an object like this for its value parameter then we would have the control that we need again.
这篇关于.NET 4.0中使用Attributes.Add编码时单引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!