HTML Encoding
- 8 minutes to read
A website’s rendered output should be HTML encoded within a page to protect it from cross-site scripting (XSS) attacks. This means that a page’s HTML content should not contain potentially unsafe tags like <script> or <img> (for example, <img onload=…>).
Use the EncodeHtml property to HTML encode a DevExpress web control’s value and element content. If the control’s EncodeHtml property is set to true, the control’s value and element content that contain HTML code are parsed. HTML tags’ angle bracket (the characters < and >) are converted to specific symbols (< and >) when the control renders its value and elements to the page. This allows displaying the HTML code on the page as text. Note that the EncodeHtml property doesn’t encode the control’s value and elements specified on the client side.
Use the following links to navigate to the tables that provide information for which DevExpress control elements the corresponding EncodeHtml properties are in effect:
- ASPxWebControl.EncodeHtml Property
- EditPropertiesBase.EncodeHtml Property
- ASPxMemo.EncodeHtml Property
- ASPxFormLayout.EncodeHtml Property
- ASPxPivotGrid.EncodeHtml Property
- ASPxTextBoxBase.EncodeHtml Property
ASPxGridView, ASPxCardView, ASPxVerticalGrid, ASPxTreeList and ASPxFilterControl controls do not provide the EncodeHtml property. Use the following properties to encode data in these controls:
A column’s EncodeHtml property allows you to HTML encode data columns’ field values.
The EncodeErrorHtml property specifies whether a grid renders its error texts as HTML or as text (removes HTML tags).
ASPxWebControl.EncodeHtml Property
DevExpress Web Control | Web control’s element(s) for which the ASPxWebControl.EncodeHtml property is in effect | Notes |
---|---|---|
CaptchaValidationSettings.ErrorText ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | If the ASPxWebControl.EncodeHtml property is false, the control’s null text (CaptchaTextBoxProperties.NullText) is not executed. It is converted into the corresponding text for display purposes. | |
CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | ||
Set the EncodeHtml property to true of the corresponding editor to encode an error text within the ASPxValidationSummary. | ||
ContextMenuItems[i].Text (HtmlEditorContextMenuItem.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | ||
ASPxPager‘s buttons texts | The ASPxWebControl.EncodeHtml property is not in effect for the ASPxDataView’s item content. Encode the template HTML using the HttpUtility.HtmlEncode method as the item content is defined using templates.
The ASPxWebControl.EncodeHtml property is not in effect for the DataViewPagerSettings.ShowMoreItemsText and ASPxDataViewBase.EmptyDataText properties. These properties’ values are not HTML encoded and are rendered as pure HTML markup. | |
AllButton.Text (PagerButtonProperties.Text) FirstPageButton.Text (PagerButtonProperties.Text) LastPageButton.Text (PagerButtonProperties.Text) NextPageButton.Text (PagerButtonProperties.Text) PrevPageButton.Text (PagerButtonProperties.Text) | The ASPxWebControl.EncodeHtml property is not in effect for the page size item’s caption (PageSizeItemSettings.Caption). This property value is not HTML encoded and is rendered as pure HTML markup. | |
The ASPxWebControl.EncodeHtml property is not in effect for the control’s tail text (ASPxHeadline.TailText). This property value is not HTML encoded and is rendered as pure HTML markup. The ASPxHeadline.MaxLength and ASPxHeadline.TailPosition (that is set to KeepWithLastWord) properties are not in effect if the ASPxWebControl.EncodeHtml property is set to false. | ||
The ASPxWebControl.EncodeHtml property is not in effect for the hint’s content specified on the client side. | ||
Items[i].HeaderText (NewsItem.HeaderText) Items[i].Text (NewsItem.Text) ASPxPager‘s buttons texts | The ASPxWebControl.EncodeHtml property is not in effect for the HeadlineSettings.TailText and ASPxDataViewBase.EmptyDataText properties. These properties’ values are not HTML encoded and are rendered as pure HTML markup. The ItemSettings.MaxLength (ASPxHeadline.MaxLength) and ItemSettings.TailPosition (HeadlineSettings.TailPosition that is set to KeepWithLastWord) properties are not in effect if the ASPxWebControl.EncodeHtml property is set to false. | |
Items[i].Text (ImageGalleryItem.Text) Items[i].FullScreenViewerText (ImageGalleryItem.FullscreenViewerText) | The ASPxWebControl.EncodeHtml property is not in effect for the ASPxDataViewBase.EmptyDataText and ImageGalleryPagerSettings.ShowMoreItemsText properties. These properties’ values are not HTML encoded and are rendered as pure HTML markup. | |
Items[i].Text (ImageSliderItem.Text) | ||
Items[i].Text (MenuItem.Text) | ||
Items[i].Text (MenuItem.Text) | ||
Groups[i].Text (NavBarGroup.Text) Groups[i].Items[i].Text (NavBarItem.Text) | ||
ASPxPopupControlBase.HeaderText | ||
TabPages[i].Text (TabBase.Text) | ||
Tabs[i].Text (TabBase.Text) | ||
Items[i].Text (CloudControlItem.Text) | The ASPxWebControl.EncodeHtml property is not in effect for the ASPxCloudControl.ItemBeginText and ASPxCloudControl.ItemEndText properties. These properties’ values are not HTML encoded and are rendered as pure HTML markup. | |
Items[i].Text (TitleIndexItem.Text) | The ASPxWebControl.EncodeHtml property is not in effect for the ASPxTitleIndex.NoDataText, FilterBox.Caption and FilterBox.InfoText properties. These properties’ values are not HTML encoded and are rendered as pure HTML markup. | |
Tabs[i].Text (RibbonTab.Text) Tabs[i].Groups[i].Text (RibbonGroup.Text) Tabs[i].Groups[i].Items[i].Text (RibbonItemBase.Text) | ||
AddButton.Text (UploadControlButtonPropertiesBase.Text) UploadButton.Text (UploadControlButtonPropertiesBase.Text) RemoveButton.Text (UploadControlButtonPropertiesBase.Text) BrowseButton.Text (UploadControlButtonPropertiesBase.Text) CancelButton.Text (UploadControlButtonPropertiesBase.Text) | ||
Nodes[i].Text (TreeViewNode.Text) | ||
The ASPxWebControl.EncodeHtml property is not in effect for the ASPxRoundPanel.HeaderText property. This property value is not HTML encoded and is rendered as pure HTML markup. | ||
Elements of the ribbon and popup control | The control’s content is encoded | |
Elements of the ribbon and popup control |
EditPropertiesBase.EncodeHtml Property
DevExpress Web Control | Editor’s element(s) for which the EditPropertiesBase.EncodeHtml property is in effect | Notes |
---|---|---|
CalendarFastNavProperties.CancelButtonText | ||
ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | ||
ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | ||
Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | ||
Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | ||
buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButtonText.Text (EditButton.Text) | If the EditPropertiesBase.EncodeHtml property is set to false, the color editor’s value (ASPxColorEdit.Value), null text (ASPxColorEdit.NullText) and OK/Cancel buttons (ASPxColorEdit.CancelButtonText/ASPxColorEdit.OkButtonText) are not executed and are converted into the corresponding text for display purposes. | |
Buttons[i].Text (EditButton.Text) ClearButton.Text (EditButton.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxSpinEdit.NullText) is not executed and is converted into the corresponding text for display purposes. | |
Items[i].Text (ListEditItem.Text) Buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxAutoCompleteBoxBase.NullText) is not executed and is converted into the corresponding text for display purposes. We recommended to use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property for better security. Use the HttpUtility.HtmlEncode method to encode the template’s content. | |
If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxTextBox.NullText) is not executed and is converted into the corresponding text for display purposes. We recommended to use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property for better security. Use the HttpUtility.HtmlEncode method to encode the template’s content. | ||
Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | We recommended to use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property for better security. Use the HttpUtility.HtmlEncode method to encode the template’s content. | |
Buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) CalendarProperties.ClearButtonText CalendarProperties.TodayButtonText DateEditTimeSectionProperties.OkButtonText DateEditTimeSectionProperties.CancelButtonText | If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxDateEdit.NullText) is not executed and is converted into the corresponding text for display purposes. | |
Buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s value (ASPxTextEdit.Text) and null text (ASPxDropDownEdit.NullText) are not executed and are converted into the corresponding texts for display purposes. | |
Buttons[i].Text (EditButton.Text) ClearButton.Text (EditButton.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s value (ASPxTimeEdit.Value) and null text (ASPxTimeEdit.NullText) are not executed and are converted into the corresponding texts for display purposes. |
ASPxMemo.EncodeHtml Property
DevExpress Web Control | Web control’s element(s) for which the ASPxMemo.EncodeHtml property is in effect | Notes |
---|---|---|
CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | If the ASPxMemo.EncodeHtml property is set to false, the editor’s value (ASPxMemo.Text) and null text (ASPxMemo.NullText) are not executed and are converted into the corresponding texts for display purposes. |
ASPxFormLayout.EncodeHtml Property
DevExpress Web Control | Web control’s element(s) for which the ASPxFormLayout.EncodeHtml property is in effect |
---|---|
ASPxFormLayout | Items[i].Caption (LayoutItemBase.Caption) |
ASPxPivotGrid.EncodeHtml Property
DevExpress Web Control | Web control’s element(s) for which the ASPxPivotGrid.EncodeHtml property is in effect |
---|---|
Cell values and column/row field values. Pager’s buttons texts (for more information, see for which elements of a pager the EncodeHtml property is in effect). |
ASPxTextBoxBase.EncodeHtml Property
DevExpress Web Control | Editor’s element(s) for which the ASPxTextBoxBase.EncodeHtml property is in effect | Notes |
---|---|---|
If the ASPxTextBoxBase.EncodeHtml property is set to false, the text box editor’s value (ASPxTextEdit.Text) and null text (ASPxTextBox.NullText) are not executed and are converted into the corresponding texts for display purposes. | ||
Buttons[i].Text (EditButton.Text) | If the ASPxTextBoxBase.EncodeHtml property is set to false, the button edit editor’s value (ASPxTextEdit.Text) and null text (ASPxButtonEdit.NullText) are not executed and are converted into the corresponding texts for display purposes. |
ASPxTrackBar.EncodeHtml Property
DevExpress Web Control | Web control’s element(s) for which the EncodeHtml property is in effect |
---|---|
Item and tooltip texts. |