Vikram Lakhotia Blog on Asp.Net, Dot Net, SQL, VIsual Studio, C# etc

Hi,

One of the new features in Asp.Net 4.0 is the inclusion of Code expressions which are HTML encoded by default. IN Asp.Net the code expression by default does not encode any text and hence it can leave the chance of Cross Site scripting attack.

In Asp.Net 4.0 we can now write expression which will get encoded by itself. For writing HTML encoded expression we need to use the following expression

Hi,

When a page is submitted, users can also script along with the post data. Also unauthorized postback could be triggered. The event validation mechanism reduces the risk of unauthorized postback requests and callbacks when the EnableEventValidation property is set to true. This would help and provide default level of protection against cross site scripting.

In the previous versions of Asp.Net request validation was turned on by default but the validation would only apply to the asp.net pages (aspx pages and their code behind). This means there is no validation for other files requested like css, image etc.

Hi,

One of the small but important change in the Asp.Net 4.0 is the change is the Encode methods. Now the HtmlEncode and UrlEncode methods in the HttpUtility and HttpServerUtility class respectively also encode the single quote (‘).

The HtmlEncode method encodes instances of the single quotation mark as "'".

The UrlEncode method encodes instances of the single quotation mark as "%27".

Vikram

Hi,

another of the new features of Asp.net 4.0 is the enhancement(in terms of rendering) made in the Formview control. By default the Formview control would render table, tr and td tags for display of content. This can be of much trouble to many of the designer because they have little control over the rendered HTML.

With Asp.net 4.0 you can disable the rendering of these HTML elements. (Mind you in Asp.Net 4.0 by default these HTML content are rendered.) To do this all you need to do is set the RenderTable property to False.

<asp:FormView ID="FormView1" runat="server" RenderTable="false">

This enhancement can make it easier to style the content of the control with CSS, because no unexpected tags are rendered by the control.

Hi,

One of the small but new features in Asp.Net 4.0 is the addition of the Title, Metakeyword and Metadescription property in the page class itself. Now we can easily set the Title, Metakeyword and Metadescription (very important for sites looking for SEO.) from the page itself.