Block code with a single Response.Write()¶
ID: cs/asp/response-write
Kind: problem
Security severity:
Severity: recommendation
Precision: high
Tags:
- maintainability
- frameworks/asp.net
Query suites:
- csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
An inline code block containing a single Response.Write() can be written more clearly using an inline expression.
ASP.NET provides general-purpose inline code, using the syntax “<%...%>”. The inline code can emit content into the resulting HTML page by calling Response.Write().
In many cases, the inline code is only one line long, and does nothing more than issue a single call to Response.Write(). For such cases, the call to Response.Write() can be longer than the code to compute what will be embedded. This makes it harder to understand the intent of the code.
Recommendation¶
ASP.NET also provides inline expressions, using the syntax “<%=...>”. An inline expression does not need to call Response.Write(). The equals sign (=) is a concise way to tell ASP.NET to call Response.Write().
Example¶
This example shows a page where an inline code block writes content using Response.Write().
<%@ Page Language="C#" %>
<html>
<body>
<p>2 + 3 = <%Response.Write(2 + 3)%></p>
</body>
</html>
In the following example, the code block is replaced with an inline expression, and is thus more concise and direct.
<%@ Page Language="C#" %>
<html>
<body>
<p>2 + 3 = <%=2 + 3%></p>
</body>
</html>