Stopping Attributes.Add from converting my JavaScript event code to HTML

[Nathan Sokalski]

I add several JavaScript events (onchange, onkeypress, etc.) to Controls
using the Add method of the Attributes collection. However, if the
JavaScript code contains certain characters, such as & or < or several
others, it converts them to html, such as &amp; or &lt; which can sometimes
cause my scripts not to work. How can I prevent ASP.NET from doing this?
Thanks.

 

[Cor Ligthert [MVP]]

Hi Nathan,

For that is the HTML en/decode classes.

http://msdn.microsoft.com/library/d...WebHttpServerUtilityClassHtmlEncodeTopic1.asp

I hope this helps,

Cor

 

[Nathan Sokalski]

That would be great if I were using something like the
System.Web.UI.HtmlTextWriter, but I am simply adding attributes objects
created declaratively in my *.aspx file. For example, I have the following
as part of my *.aspx file:


<asp:TextBox ID="txtRed" runat="server" MaxLength="3"
Width="35px">0</asp:TextBox>


And I have the following in my *.aspx.vb file:


txtRed.Attributes.Add("onchange", "if(this.value>=0&&this.value<=255){" &
redslider.ClientSetFunctionName & "(this.value);}else{this.value=" &
redslider.ClientGetFunctionName & "();}")


When my page is rendered, this comes out as the following (notice that the
&'s and < are replaced with their HTML representations):


onchange="if(this.value>=0&amp;&amp;this.value&lt;=255){sliderRed_setvalue(this.value);}else{this.value=sliderRed_getvalue();}"


The Server.HtmlDecode() method would not help me here because the
Attributes.Add() method takes a String as it's second parameter, and
Server.HtmlDecode() would not have any effect on it in my case, so I would
actually be passing the same String. Any other ideas? Thanks.

 

[Cor Ligthert [MVP]]

Nathan,

Are you sure you do not need this one. (In this page is a nice sample)
http://msdn2.microsoft.com/en-us/library/system.web.ui.webcontrols.webcontrol.attributes.aspx

Now you are using this one to add an attribute let say to an listbox, which
is in my idea sure not a piece of javascript
http://msdn2.microsoft.com/en-us/library/system.web.ui.attributecollection.add.aspx

I hope this helps,

Cor

 

[tfsmag]

I almost always create a .js file and include a reference in the head
tag to it on every page in a web app, if you did it this way you would
not need to add javascript to .net control attributes and could simply
add a function name rather than the full javascript?

 

[Nathan Sokalski]

In the first link you provided, the following example is given:

TextBox1.Attributes("onblur") = "javascript:alert('Hello! Focus lost from
text box!!');"

First of all, the value in this example does not have any characters that
would be affected by Server.HtmlEncode(). Second, it does not use the Add()
method (I would be willing to use either one, I do prefer the Add() method).
In your second link, the following example is given:

FirstSelect.Attributes.Add("Multiple", "True")

This example, like you said, is not even JavaScript, and also does not have
any characters that would be affected by Server.HtmlEncode().

 

[Nathan Sokalski]

That might be true if you're talking about generating a *.js file using
ASP.NET. The reason I am adding the attributes using ASP.NET code is because
a large amount of the JavaScript is generated (it is different for different
instances of the control). You are correct in that I could create functions
and then call the functions, but since a large amount of my JavaScript is
generated, this would involve creating a lot of functions, many of which
might be only one line, almost doubling the amount of JavaScript, and it
would also involve generating unique names for all the functions. This could
end up being very inefficient, as well as confusing and increasing the
download size of the page.

 

[Cor Ligthert [MVP]]

Nathan,

You cannot use a ship to fly, in my opinion are you trying that by using the
wrong commands, if you want to fly with a ship, than you have a lot of
troubles, with a plane it is much easier.

What your cargo is, is not the first question.

Just my thought, reading your reply.

Cor

 

[Alessandro Zifiglio]

Nathan, in addition to Cor's suggestions, let me add that there is not much
you can do at this point that can change what is output by the
htmltextwriter. It's this writer which actually minimally HTML-encodes
everything. This is possibly for xhtml comformance, since an & is not a
legal character within an xml document and needs to be escaped. So are
characters like <>. I cant imagine you working around this, without doing
something a bit trival like through the HttpResponse.Filter which gives you
a chance to rewrite what is output by the htmltextwriter before it is
transmitted to the page =P
http://msdn2.microsoft.com/en-us/library/system.web.httpresponse.filter.aspx

There is full working example in the above url, that shows you howto attach
a filter to the response stream that makes the text displayed to the page
all uppercase.You will be searching for &amp; or whatever other html code
characters you dont want, and replacing them with the original you had
wanted.

That said, can you explain further why you want to work around this ? I dont
understand why your script shouldnt work *sometimes* with those characters
escaped.

Your problem, in my humble opinion is somewhere else, possibly in the js
code that you are writing, but i cant say much since the code you pasted
works very well *always* for me. I have pasted the code i tested below. Let
us know, what you are doing differently and under what circumstance its not
working for you.

Regards,
Alessandro Zifiglio
http://www.AsyncUI.net


<%@ Page Language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
TextBox1.Attributes.Add("onchange", "if (parseInt(this.value) >= 0
&& parseInt(this.value) <= 255){ alert('more than 0 and less than a
100');}");
}

</script>

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:TextBox ID="TextBox1" Text="" runat="server"></asp:TextBox>
</div>
</form>
</body>
</html>

 

[Nathan Sokalski]

I haven't really had any problems with the JavaScript not working because of
this, but it worries (not to mention frustrates) me that I might in the
future for the following reason:

Cross-browser compatibility: I am afraid that some new version of some
browser (or maybe even an existing one, as of now I have only tested on IE6)
will not like this incorrect JavaScript syntax

 

[Alessandro Zifiglio]

In case it helps you feel better about this, I have tested in IE6,
firefox1.5 and opera9. Works well. In your place i wont worry too much,
since this is pretty standard functionality supported by the browser and
tbh, i have not heard about this type of problem before.

Regards,
Alessandro Zifiglio
http://www.AsyncUI.net

 

[Alessandro Zifiglio]

Nathan, also, i forgot to mention that this is not* incorrect. Doing it
otherwise, the way you want is incorrect. For eg. if you were using js
codeblocks in your page as <script type="text/javascript">code here</script>
then you will be wrapping your code in cData blocks to escape the usual <>
and & ampersand characters and is mandatory for compliance with xhtml strict
doctype.
For inline js, you have to escape special characters, of which asp.net's
htmltextwriter is automatically escaping for you is the properway. So any
standards compliant useragent will support this and well.

Regards,
Alessandro Zifiglio
http://www.AsyncUI.net