6.5. State Encoding
By default, history points added from the server side are encoded or encrypted (depending on whether ViewState for the page is encrypted). This causes the data in the fragment indicator to look rather messy, as in Figure 6-5. This is the default behavior to protect the data from tampering by the user, since it is in plain sight on the URL, and is inevitably processed on the server. However, regardless of whether the data can be tampered with, you should treat history state as if it were user input. Don't trust it. Always validate that the data makes sense and is in the range of acceptable values for your application.
To turn encoding off, you set the EnableSecureHistoryState property false.
<asp:ScriptManager ID="ScriptManager1" runat="server"
EnableHistory="true" EnableSecureHistoryState="false" />
Now the history state will be easily readable on the URL. For example, if you add two history points, you might see something like http://localhost/Default.aspx#&&key1=value1&key2=value2. The nice thing about this is it provides a clue about what loading the URL will do, and it gives advanced users a way to "hack" the URL. For example, if you're on a product listing page and see product=widgets in the URL, you know you could probably just change it to product=wedges, to see wedges instead. While you certainly shouldn't rely on that kind of navigation as a primary means of navigating your site, it gives your site an organized feel. Just be sure to expect garbage ...
Get Professional ASP.NET 3.5 AJAX now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
