Introducing .NET 4.0 With VS 2010 读书笔记.3

HTML Encoding

    ASP.NET 4.0 offers a new markup syntax that uses the colon character to tell ASP.NET to HTML encode the expression:

<%: "<script>alert('I wont be run');</script>"%>

    When ASP.NET parses this it does the following:

<%= HttpUtility.HtmlEncode(YourVariableHere) %>

HtmlString

    ASP.NET 4.0 includes the new HtmlString class that indicates an expression is already properly encoded and should not be re-examined. This prevents “safe” values from potentially firing dangerous request validation rules:

<%: new HtmlString("<script>alert('I will now be run');</script>") %>

Custom Request Validation

    It is now possible to override the default request validators by inheriting from the System.Web.Util.RequestValidator class and overriding the method IsValidRequestString(). You must then specify the custom validator in the httpRuntime section in Web.config:

<httpRuntime requestValidationType="Apress.MyValidator, Samples"/>

Custom Encoders

    If you feel that ASP.NET’s existing page encoders are insufficient then you can now create your own by inheriting from System.Web.Util.HttpEncoder class and specifying the new encoder in the encoderType attribute of httpRuntime, for example:

<httpRuntime encoderType="Apress.MyEncoder, Samples"/>

 

Valid URL Characters

    Previous versions of ASP.NET limit accepted URLs to a specific set of characters. The following characters were considered invalid in a URL: <, >, &. You can use the new requestPathInvalidChars property to specify invalid characters (such as the above). The below example makes a,b,c invalid in requests (which isn’t too useful but demonstrates the feature):

<httpRuntime requestPathInvalidCharacters="a,b,c">

 

Compress Session State

   It is generally a good rule to avoid storing anything in session unless absolutely necessary but if you must ASP.NET 4.0 allows you to compress session state. Session state compression cannot be used by an inprocess session so is only applicable if your application is using state or SQL Server. To compress session simply set the compressionEnabled property to true in Web.config:

<sessionState compressionEnabled="true"></sessionState>

    Session state is compressed using the GZip algorithm. It is important to note that compressing session requires a server to do more work so could adversely impact on the performance of your application.