1. 技术文章
  2. How to use HtmlEncode with TemplateFields, Data Binding, and a GridView

How to use HtmlEncode with TemplateFields, Data Binding, and a GridView

删除回忆录丶 提交于 2019-11-28 19:19:17

This is now possible to do using the new HTML encoding databinding syntax introduced in ASP.NET 4.

You can simply use:

<%#: Eval("MyField") %>

Or

<%#: Bind("MyField") %>

Note the colon after the pound/hash sign It's as simple as that.

Quote from http://weblogs.asp.net/leftslipper/archive/2007/06/29/how-asp-net-databinding-deals-with-eval-and-bind-statements.aspx

There isn’t a Bind method in ASP.NET. When ASP.NET parses your file and sees you're using

it generates some special code for it. When you use it's not a real function call. If ASP.NET parses the code and detects a Bind() statement, it splits the statement into two parts. The first part is the one-way databinding portion, which ends up being just a regular Eval() call. The second part is the reverse portion, which is typically some code along the lines of "string name = TextBox1.Text" that grabs the value back out from where it was bound. However, because ASP.NET has to parse Bind() statements, two-way databinding doesn’t support anything other than Bind(). For example, the following syntax is invalid because it tries to invoke arbitrary code and use Bind() at the same time:

The only formats supported in two-way databinding are Bind("field") and Bind("field", "format string {0}").

You could use Eval instead of Bind in your EditItemTemplate. You also need to cast to string:

<asp:Label ID="LabelDescription" 
           runat="server" 
           Text='<%# System.Web.HttpUtility.HtmlEncode((string)Eval("Description")) %>' />

As already explained by Darin Dimitrov you cannot use Bind as a parameter of a function. So Text='<%# System.Web.HttpUtility.HtmlEncode(Bind("Description")) %>' is not possible. On the other side it's usually not necessary to use HtmlEncode here because you will use Bind with a control which allows to change data, for instance along with a TextBox (as in the example of your EditItemTemplate). But a TextBox encodes automatically, so you can safely call Bind without the need of HtmlEncode:

<EditItemTemplate>
    <asp:TextBox ID="TextBoxDescription" runat="server"
                 Text='<%# Bind("Description") %>'
                 ValidationGroup="EditItemGrid"
                 MaxLength="30" />
    <asp:Validator ... />
</EditItemTemplate>

If a TextBox would not encode automatically using Bind would be a huge security hole (unless you are absolutely sure that your data are safe to be rendered to HTML without encoding).

But automatic encoding is NOT the case for a label for instance. Although you can also use Bind in the Text property of a label, the output to the label is NOT encoded automatically - a reason why using Bind with a label isn't a good practice, since you cannot encode the label text with Bind. Instead use Eval and wrap it into HtmlEncode as you have done it in your ItemTemplate: Text='<%# System.Web.HttpUtility.HtmlEncode((string)Eval("Description")) %>'

satya
<asp:TemplateField HeaderText="Description">     
  <EditItemTemplate>         
    <asp:TextBox ID="TextBoxDescription" runat="server" Text='<%# System.Web.HttpUtility.HtmlEncode(Bind("Description")) %>'                ValidationGroup="EditItemGrid"  MaxLength="30" />
     <asp:Validator ... />     
  </EditItemTemplate>     
  <ItemTemplate>         
     <asp:Label ID="LabelDescription" runat="server"  Text='<%# System.Web.HttpUtility.HtmlEncode(Convert.ToString(Eval("Description"))) %>' /> 
  </ItemTemplate> 
</asp:TemplateField>

Bind() is used for Two-Way Data Binding, for this to work you will have to use the RowUpdating event of the gridview.

void GridView_RowUpdating(Object sender, GridViewUpdateEventArgs e)
{
    foreach (DictionaryEntry entry in e.NewValues)
    {
        e.NewValues[entry.Key] = System.Web.HttpUtility.HtmlEncode(entry.Value.ToString());
    }
}

What about a simple extension method?

public static string HtmlEncode(this string s)
    {            
        s = HttpUtility.HtmlEncode(s);
        return s;
    }

You could then simply run: 

<asp:Label runat="server" Text=<%# ((string)Eval("MyStringField")).HtmlEncode() %> />

Kindly Refer to

http://forums.asp.net/p/1056231/1504717.aspx

I got the working solution from here . Its working like a charm for me.

In my case I was forced to use the "Bind" method on mi EditItemTemplate's TextBox because needed the data to be accessible in the NewValues array at the item_Updating event handling. So i figured out as follow:

on my EditItemTemplate : 

<EditItemTemplate>
     <asp:TextBox runat="server" Text='<%# Bind("field")%>' ID="TextBox112" OnPreRender="TextBox_PreRender_decode"></asp:TextBox>                                            
</EditItemTemplate>

then in the code behind :

protected void TextBox_PreRender_decode(object sender, EventArgs e)
{
    TextBox tb = (TextBox)sender;
    tb.Text = WebUtility.HtmlDecode(tb.Text);
}

This solution allowed me to show properly an html-encoded data for all of my TextBoxes and at the same time being able to access this data from the newValues array when the item_Updating event fires.

user285967

But take care if you use following code from Phaedrus and you have a checkbox column!

void GridView_RowUpdating(Object sender, GridViewUpdateEventArgs e)
{
    foreach (DictionaryEntry entry in e.NewValues)
    {
        e.NewValues[entry.Key] = System.Web.HttpUtility.HtmlEncode(entry.Value.ToString());
    }
}

Because the entry.Value.ToString() will make the true from the Checkbox to True and then you can not save it in the database field!

标签
ASP.NET
data-binding
gridview
html-encode
templatefield
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!