Problem with ListView and Request.QueryString [modified]

foahchon

Hi, I'm trying to insert some text from the page's QueryString into a LayoutTemplate inside a ListView, but something so seemingly simple is proving to be very difficult (for me, at least). Here's the code I have for my LayoutTemplate:

        <LayoutTemplate>
            <h1><%# Request.QueryString\["itemtype"\] %> Items</h1>
            <asp:PlaceHolder ID="itemPlaceholder" runat="server"></asp:PlaceHolder>
        </LayoutTemplate>

The problem is that only "Items" shows up. I have also tried the <%= tag, but then it tells me the control cannot be modified because it contains code blocks. I'm running out of ideas, so any help would be greatly appreciated. Thanks.

modified on Monday, February 11, 2008 8:46 PM

dojohansen

I'm not a fan of this asp-style coding so I can't really help you unless you're willing to use the asp.net-style code-behind feature... but if you are, run the heading tag on the server and set it's text programmatically: .aspx:

Code-behind (.aspx.cs or .vb or ... - I choose C#):

void Page_Load(object sender, EventArgs e)
{
heading.InnerHtml = Request.Params["itemtype"] + " Items";
}

Notice that this solution has the additional benefit of protecting against script injections because the parameter will be interpreted as HTML code, not just literal text. Hence, a user putting

p.aspx?itemtype=close()

in the adress bar (or more problematically, manages to save an itemtype named so the database, causing other users to be directed to such a url) will render the > and < characters as > and < hence just displaying the text rather than execute the script!