A website's rendered output should be HTML encoded within a page to protect it from cross-site scripting (XSS) attacks. This means that a page's HTML content should not contain potentially unsafe tags like <script> or <img> (for example, <img onload=...>).
Use the EncodeHtml property to HTML encode a DevExpress web control's value and element content. If the control's EncodeHtml property is set to true, the control's value and element content that contain HTML code are parsed. HTML tags' angle bracket (the characters < and >) are converted to specific symbols (< and >) when the control renders its value and elements to the page. This allows displaying the HTML code on the page as text. Note that the EncodeHtml property doesn't encode the control's value and elements specified on the client side.
Use the following links to navigate to the tables that provide information for which DevExpress control elements the corresponding EncodeHtml properties are in effect: