I'm using the Gravatar helper class from Microsoft.Web.Helpers like so
<%: Gravatar.GetHtml("me#domain.com", 80, "identicon") %>
which produces in the source
<img src="http://www.gravatar.com/avatar/0ff2e377be7d73b15f0b48022a755717?s=80&d=identicon" alt="gravatar" />
The image URL does work but shouldn't it be &d=identicon and not &d=identicon? It appears to have encoded the ampersand. This is also the same when using Gravatar.GetUrl()
How can I stop it encoding the ampersand without rewriting my own version?
<%:Gravatar.GetHtml("me#domain.com", 80, "identicon") %>
Your telling it to encode the output, ":" is short hand for this. If you do not want to encode the output, do this
<%=Gravatar.GetHtml("me#domain.com", 80, "identicon") %>
As far as I am aware ":" is shorthand for outputting via Html.Encode()
=========Edit
What the Helper is doing is correct, it should be encoding the ampersand, more info at the link below
XHTML and & (Ampersand) encoding
In code (say in the controller action... and not in the *.aspx or *.cshtml markup), when I do this:
var avatarUrl = Gravatar.GetUrl("someone#somewhere.com", defaultImage: "identicon");
This will return the following string:
http://www.gravatar.com/avatar/923d10bc97028030e8e67e7db62658d1?s=80&d=identicon
Note the encoded ampersand (&) where there shouldn't be any encoding. I think this is not working as intended. The reason it matters, is because instead of getting the identicon (or gravatar) that we want, we get the default gravatar logo, which we dont want (the whole point of the identicon fallback). Remember, this was done from the controller, vice the view markup.
Related
I need an image loaded onto a html img tag using thymeleaf. The problem is, the image itself is obtained from a url which takes in two parameters.
Sample:
<img src="/products/images?categoryId=1&image=1" />
The trouble is, the image parameter is generated dynamically and hence I need to use a thymeleaf expression there. Therefore I tried something like this:
<img th:src="#{'/products/images?categoryId=1&image=' + ${product.id}}" />
But when I run this, I get the following message:
Exception parsing document: template="product-list", line 104 - column 59
Which points to the location where the '&' symbol occurs. Now, I have tried using '& amp;' but then, the url becomes something like
/products/images?categoryId=1&image=1
Obviously, this is not going to work.
So how else do I make a valid link with two parameters using thymeleaf then?
This can easily done by Thymeleaf. Don't concatenate strings and
simply use #{'/products/images'(categoryId=1, image= ${product.id})}
See the documentation.
The way that you escape an ampersand & in any html attribute is &. Actually you should always escape ampersands in all html attributes whether you are using Thymeleaf or not.
See this question for more details and references:
Do I encode ampersands in <a href...>?
When I use url helper to generate url for route with query params and then add that url to link href, validator warns me, that there is unescaped & in attribute:
▲
I tried to search but still I'm not sure who is responsible for escaping that.
Router generates url but that might be used anywhere, not only in html attribute, so it correctly does no escaping in his case.
Url helper does not change anything in that url but it is meand for use in html so it might done here
View template - there url is put inside href attribute, so it might be here too
I couldn't find any clue how to decide this and if fill an issue with zf2 about this.
EDIT: html/php code from paginator
<<
generates html
<<
and from what I found it should be
<<
I would argue that the current behavior (not HTML entity encoding) is correct and it is up to the developer to encode HTML entities, when appropriate.
For instance you may want to use the view helper inside a <script> tag, where the HTML entities would be uncalled for.
Just a query, I have used #Html.Raw(Item.sometext) before and it decodes the html tags correctly, I'm getting some data from remore source which is in json format, but when displayed on the page I found Html.raw did not decodes html tags.
To fix the problem I used:
#Html.Raw(HttpUtility.HtmlDecode(Item.sometext))
So my question is, can anyone please tell me why that could be the case, as I'm curious as to the reason. Im using mvc4 and asp.net 4.5
Thanks
George
Here is my answer in an attempt to explain better what I mean (in the comments).
Your JSON is formatted for example (which you have supplied) like so:
<p><b>Location. <\/b> <br \/>...
However, this is not valid HTML. Notice the escape characters used for the slashes '/'. So if you pass this value to Html.Raw it will (should) output it, but it's not valid HTML so will unlikely display correctly (if it display anything at all).
This escape character issue can be fixed using Html.Decode which will effectively return the following:
<p><b>Location. </b> <br />...
This is valid HTML, and can therefore be passed to Html.Raw without any problems
NOTE: Html.Raw does not do any encoding/decoding, in fact it explicitly instructs that the supplied value should not be encoded as it is already raw HTML. This is confirmed here:
Use the Raw method when the specified text represents an actual HTML
fragment that should not be encoded and that you want to render as
markup to the HTTP response.
I saw in a tutorial video that we should use Html.Encode in our views to prevent malicious injections. However, when the text that I'm encoding contains the ' character (for example Dog's) the output in the browser is Dog#39;s. I would have thought every potentially dangerous character would be remaped to some safe code that the browser would render correctly. Is this not the case? How can I get ' to show up in the browser but in an HTML safe way?
The # in Razor automatically encodes for you, meaning that you probably did a double encode.
Example:
#Html.Encode("This is \"safe\"")
is more or less the same as
#{Response.Write(Html.Encode(Html.Encode("This is \"safe\"")));}
Dunno if that last one works in Razor though.
If you are using ASP.NET MVC 2 <%: %> is already encoding the value for you
In Razor (MVC 3) # encodes the values for you so you do not need to wrap the output in Html.Encode
Make sure that you are not double encoding
Whenever I use Html.ActionLink it always Html encodes my display string. For instance I want my link to look like this:
More…
it outputs like this: More…
&hellip is "..." incase you were wondering.
However the actionlink outputs the actual text "…" as the link text. I have the same problem with if I want to output this:
<em>My-Post-Title-Here</em>
I wind up with:
<em>My-Post-Title-Here</em>
Any idea how to do this?
It looks like ActionLink always uses calls HttpUtility.Encode on the link text. You could use UrlHelper to generate the href and build the anchor tag yourself.
<a href='#Url.Action("Posts", ...)'>More…</a>
Alternatively you can "decode" the string you pass to ActionLink. Constructing the link in HTML seems to be slightly more readable (to me) - especially in Razor. Below is the equivalent for comparison.
#Html.ActionLink(HttpUtility.HtmlDecode("More…"), "Posts", ...)
The answer given by Sam is actually correct and I used it in my solution so I have therefore tried it myself.
You may want to remove the extra parenthesis so it becomes something like this:
#Html.ActionLink(HttpUtility.HtmlDecode("&"), "Index", "Home")
Alternatively, just use a plain Unicode ellipsis character \u2026 and let MVC worry about how to encode it. Unless there's some particularly compelling reason you'd specifically need a hellip entity reference as opposed to a character reference or just including the character as simple UTF-8 bytes.
Alternative alternatively: just use three periods. The ellipsis (U+2026) is a compatibility character, only included to round-trip to pre-Unicode encodings. It gets you very little compared to simple dots.
Check out this:
<p>Some text #(new HtmlString(stringToPaste)) </p>
Decode it before passing the value in. Just had this same issue (different characters) and it works fine:
Eg:
#Html.ActionLink(HttpUtility.HtmlDecode(_("&")), "Index", "Home")
Annoying though