Using the Server HtmlEncode Method

Sometimes, you need to write HTML or XML to the browser. However, if you use the Response object to write HTML or XML code, the browser interprets it as HTML. To solve the problem, escape the text properly using the Server.HtmlEncode method before sending it to the browser.

The Web Form ch8-5 contains two Label controls. In the Page_Load event, the Web Form assigns some HTML content to each Label. The code assigns "plain" unescaped HTML to the first label but uses the Server.HtmlEncode method to assign content to the second label (see Listing 8.5).

Listing 8.5: Using the HtmlEncode Method (ch8-5.aspx.cs)

private void Page Load(object sender, System.EventArgs e) { String s;

Labell.Text = "This HTML code <span class=\"redbolditalic\">" +

"should appear</span> with the tags invisible"; s = "This HTML code <span class=\"redbolditalic\">should " +

"appear</span> with the tags visible"; Label2.Text = Server.HtmlEncode(s);

The class definition for the redbolditalic style is in the ch8.css Cascading Style Sheet file. When the browser parses the HTML rendered for the Label1 WebControl, it doesn't display the internal <span> tag because the browser also sees that as HTML. However, the Server.HtmlEncode method escaped the contents for Label2, so the browser displays the tags (see Figure 8.3).

Figure 8.3: Simple Server.HtmlEncode method call example

That's a fairly simple example; here's one that's more useful. Browsing the Internet, you may have seen tutorial ASP pages that have a button that, when clicked, can display the code for the executing page. C# Web Form files that use code-behind classes are slightly more complex because you need two buttons to display all the code—one for the .aspx file and one for the .aspx.cs file. Here are the steps to display the code for a file:

■ Place code in the page that reads the text of the executing file.

■ Apply the Server.HtmlEncode method to the text contents of the file.

■ Place the code in a hidden Label control (or HTML <div> tag).

■ Show the Label or <div> when the user clicks a button.

The Web Form ch8-6.aspx can display its own code and HTML files (see Figure 8.4).

Figure 8.4: A Web Form that displays its own code

Listing 8.6 shows the code.

Listing 8.6: The Web Form ch8-6.aspx Displays Its Own Code-Behind Code or HTML in a Label Control when You Click One of the Buttons on the Form (ch8-6.aspx.cs)

public class ch8 6 : System.Web.UI.Page {

protected System.Web.UI.WebControls.Button btnCode; protected System.Web.UI.WebControls.Button btnHTML; protected System.Web.UI.WebControls.Label Label1;

protected System.Web.UI.WebControls.Label Label2;

private void Page Load(object sender, System.EventArgs e) {

Label1.Text = "Click the \"View Code\" button to view the " +

"code-behind code for this WebForm.<br>"; Label1.Text += "Click the \"View HTML\" button to view the " +

"HTML in the .aspx file."; Label2.Visible = false;

private void btnCode Click(object sender, System.EventArgs e) { String currFile; StreamReader sr;

// get the name of the current file's code-behind file currFile = Server.MapPath(Request["SCRIPT_NAME"]) + ".cs";

// create a StreamReader to read the contents sr = File.OpenText(currFile);

// HtmlEncode the contents and place in Label2

Label2.Text = "<h3>Code-behind code for the file " + currFile + "</h3><pre>" + Server.HtmlEncode(sr.ReadToEnd()) + "</pre>"; Label2.Visible = true; sr.Close();

private void btnHTML Click(object sender, System.EventArgs e) { String currFile; StreamReader sr;

// get the name of the current file currFile = Server.MapPath(Request["SCRIPT_NAME"]);

// create a StreamReader to read the contents sr = File.OpenText(currFile);

// HtmlEncode the contents and place in Label2 Label2.Text = "<h3>HTML code for the file " + currFile +

"</h3><pre>" + Server.HtmlEncode(sr.ReadToEnd()) + "</pre>"; Label2.Visible = true; sr.Close();

Listing 8.6 includes several of the Server methods discussed so far in this chapter. It uses the MapPath method to obtain the full physical path of the executing file:

Server.MapPath(Request["SCRIPT_NAME"]);

The code Request["SCRiPT_NAME"] obtains the name of the current file from the Request.ServerVariables collection. Note that it would be more efficient to specify the ServerVariables collection by using this code instead:

Server.MapPath(Request.ServerVariables["SCRIPT_NAME"]);

The reason it would be more efficient is that by omitting the name, the server must search all the Request collections for a matching key rather than searching only the ServerVariables collection.

Using a lookup to obtain the name of the current file makes the code much more generic—you can obtain the code or HTML for any executing file using this syntax. Be careful, though—if you use

Server.Execute or Server.Transfer, the Request.ServerVariables["SCRIPT_NAME"]

variable still references the originally requested file.

The code for the View Code... and View HTML... buttons is almost identical. The only difference is that when obtaining the filename, the code either uses the return value of the Server.MapPath method directly (see the btnHTML_click code in Listing 8.6) or appends .cs to the returned filename, which references the code-behind file. (See the btnCode_Click event in Listing 8.6.) In either case, the code creates a StreamReader object to read the text from the file:

sr = File.OpenText(currFile);

Next, it sets the Text property of the hidden label using the StreamReader object's ReadToEnd method to read the file contents, and then it makes the Label WebControl visible.

Label2.Text = "<h3>HTML code for the file " + currFile +

"</h3><pre>" + Server.HtmlEncode(sr.ReadToEnd()) + "</pre>"; Label2.Visible = true;

Using the HtmlDecode method has exactly the opposite result—you provide the method with encoded HTML, and it returns a string containing unescaped HTML. Both the HtmlEncode and HtmlDecode methods have an overloaded second version that stores the encoded or decoded text in a TextWriter object.

Was this article helpful?

0 0

Post a comment