Block code with a single Response.Write()¶
ID: cs/asp/response-writeKind: problemSecurity severity: Severity: recommendationPrecision: highTags: - quality - maintainability - readability - frameworks/asp.netQuery suites: - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
An inline code block containing a singleResponse.Write() can be written more clearly using an inline expression.
ASP.NET provides general-purposeinline code, using the syntax “<%...%>”. The inline code can emit content into the resulting HTML page by callingResponse.Write().
In many cases, the inline code is only one line long, and does nothing more than issue a single call toResponse.Write(). For such cases, the call toResponse.Write() can be longer than the code to compute what will be embedded. This makes it harder to understand the intent of the code.
Recommendation¶
ASP.NET also providesinline expressions, using the syntax “<%=...>”. An inline expression does not need to callResponse.Write(). The equals sign (=) is a concise way to tell ASP.NET to callResponse.Write().
Example¶
This example shows a page where an inline code block writes content usingResponse.Write().
<%@ Page Language="C#" %><html><body><p>2 + 3 = <%Response.Write(2 + 3)%></p></body></html>
In the following example, the code block is replaced with an inline expression, and is thus more concise and direct.
<%@ Page Language="C#" %><html><body><p>2 + 3 = <%=2 + 3%></p></body></html>