ASP.NET 4 introduces a new code nugget syntax <%: %>. Essentially, <%: foo %>translates to <%= HttpUtility.HtmlEncode(foo) %>. The team is trying to get developers to use <%: %>instead of <%= %>wherever possible to prevent XSS.

ASP.NET 4 引入了新的代码块语法<%: %>。本质上，<%: foo %>转换为<%= HttpUtility.HtmlEncode(foo) %>. 该团队正试图让开发人员使用<%: %>而不是<%= %>尽可能地防止 XSS。

However, this introduces the problem that if a code nugget already encodes its result, the <%: %>syntax will re-encodeit. This is solved by the introduction of the IHtmlString interface (new in .NET 4). If the foo()in <%: foo() %>returns an IHtmlString, the <%: %>syntax will not re-encode it.

但是，这引入了一个问题，如果代码块已经对其结果进行了编码，则<%: %>语法将对其重新编码。这是通过引入 IHtmlString 接口（.NET 4 中的新功能）解决的。如果FOO（）的<%: foo() %>返回一个IHtmlString，该<%: %>语法不会重新编码。

MVC 2's helpers return MvcHtmlString, which on ASP.NET 4 implements the interface IHtmlString. Therefore when developers use <%: Html.*() %>in ASP.NET 4, the result won't be double-encoded.

MVC 2 的助手返回 MvcHtmlString，它在 ASP.NET 4 上实现了接口 IHtmlString。因此，当开发人员<%: Html.*() %>在 ASP.NET 4 中使用时，结果不会被双重编码。

Edit:

编辑：

An immediate benefit of this new syntax is that your views are a little cleaner. For example, you can write <%: ViewData["anything"] %>instead of <%= Html.Encode(ViewData["anything"]) %>.

这种新语法的直接好处是您的视图更简洁一些。例如，您可以编写<%: ViewData["anything"] %>代替<%= Html.Encode(ViewData["anything"]) %>.

You would use an MvcHtmlStringif you want to pass raw HTML to an MVC helper method and you don't want the helper method to encode the HTML.

你会使用的MvcHtmlString，如果你想使用原始的HTML传递到MVC的辅助方法和你不想要的helper方法来编码的HTML。

A nice practical use of this is if you want to make your own HtmlHelperextensions. For example, I hate trying to remember the <link>tag syntax, so I've created my own extension method to make a <link>tag:

如果你想制作自己的HtmlHelper扩展，这是一个很好的实际用途。例如，我讨厌试图记住<link>标签语法，所以我创建了自己的扩展方法来制作<link>标签：

<Extension()> _
Public Function CssBlock(ByVal html As HtmlHelper, ByVal src As String, ByVal Optional ByVal htmlAttributes As Object = Nothing) As MvcHtmlString
    Dim tag = New TagBuilder("link")
    tag.MergeAttribute("type", "text/css")
    tag.MergeAttribute("rel", "stylesheet")
    tag.MergeAttribute("href", src)
    tag.MergeAttributes(New RouteValueDictionary(htmlAttributes))
    Dim result = tag.ToString(TagRenderMode.Normal)
    Return MvcHtmlString.Create(result)
End Function

I could have returned Stringfrom this method, but if I had the following would break:

我可以String从这个方法返回，但如果我有以下内容会中断：

<%: Html.CssBlock(Url.Content("~/sytles/mysite.css")) %>

<%: Html.CssBlock(Url.Content("~/sytles/mysite.css")) %>

With MvcHtmlString, using either <%: ... %>or <%= ... %>will both work correctly.

使用MvcHtmlString，使用<%: ... %>或<%= ... %>两者都可以正常工作。

This is a late answer but if anyone reading this question is using razor, what you should remember is that razor encodes everything by default, but by using MvcHtmlStringin your html helpers you can tell razor that it doesn't need to encode it.

这是一个迟到的答案，但如果阅读此问题的任何人都在使用 razor，您应该记住的是，razor 默认对所有内容进行编码，但是通过MvcHtmlString在您的 html 助手中使用，您可以告诉 razor 它不需要对其进行编码。

If you want razor to not encode a string use

如果您希望 razor 不对字符串进行编码，请使用

@Html.Raw("<span>hi</span>")

Decompiling Raw(), shows us that it's wrapping the string in a HtmlString

反编译 Raw()，向我们展示它正在将字符串包装在一个 HtmlString 中

public IHtmlString Raw(string value) {
    return new HtmlString(value); 
}

"HtmlString only exists in ASP.NET 4.

" HtmlString 只存在于 ASP.NET 4 中。

MvcHtmlString was a compatibility shim added to MVC 2 to support both .NET 3.5 and .NET 4. Now that MVC 3 is .NET 4 only, it's a fairly trivial subclass of HtmlString presumably for MVC 2->3 for source compatibility." source

MvcHtmlString 是添加到 MVC 2 以支持 .NET 3.5 和 .NET 4 的兼容性垫片。现在 MVC 3 只是 .NET 4，它是 HtmlString 的一个相当简单的子类，大概用于 MVC 2->3 以实现源兼容性。" 来源