Skip to main content
BuyLog In
ASP.NET Web Forms Controls
Search in…
Docs > Common Concepts > HTML Encoding
A newer version of this page is available. .
All docs
V19.2
ASP.NET Controls and MVC Extensions
Prerequisites
What's Installed
Common Concepts
Web.config Modifications
Callback Exception Handling
Client-Side Functionality
Cookies Support
Appearance Customization - Theming
Icon Collection
Performance Optimization
CSS Image Sprites
Data Annotation Attributes
Supported Document Types
Accessibility Support
Right to Left Support
HTML Encoding
SharePoint Support
Mobile Support
Office Document Management
Cloud Storage Account Management
Web Farm and Web Garden Support
ASP.NET WebForms Controls
ASP.NET MVC Extensions
Localization
Redistribution and Deployment
Get More Help
.NET Framework API Reference
Client API Reference
Download CHM

HTML Encoding

  • 7 minutes to read

To protect a website from cross-site scripting (XSS) attacks, HTML markup should be encoded (certain characters are converted to an alternate format). This conversion prevents the use of unsafe tags in HTML markup such as <script> or <img> (for example, <img onload=…>).

Use the EncodeHtml property to encode a DevExpress web control’s value and element content. If the control’s EncodeHtml property is set to true, the value and element content that contain HTML code are parsed. An HTML tag’s angle bracket (the < and >characters) are converted to specific symbols (&lt; and &gt;) when the control renders its value and elements to the page. The result is that HTML code is displayed on the page as text. Note that the EncodeHtml property does not encode a control’s value and elements specified on the client side.

Follow the links below to view control elements for which corresponding EncodeHtml properties are available:

ASPxGridView, ASPxCardView, ASPxVerticalGrid, ASPxTreeList and ASPxFilterControl controls do not have an EncodeHtml property. Use the following properties to encode data in these controls:

  • A column’s EncodeHtml property encodes data column field values.

  • The EncodeErrorHtml property specifies whether a grid renders error text as HTML or as text (i.e., it removes HTML tags).

ASPxWebControl.EncodeHtml Property

DevExpress Web Control

Web control’s element(s) for which the ASPxWebControl.EncodeHtml property is in effect

Notes

ASPxBinaryImage

ASPxEditBase.Caption

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

ASPxButton

ASPxButton.Text

ASPxCaptcha

CaptchaValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

RefreshButtonProperties.Text

CaptchaTextBoxProperties.LabelText

If the ASPxWebControl.EncodeHtml property is false, the control’s null text (CaptchaTextBoxProperties.NullText) is not executed. It is converted into text for display purposes.

ASPxCloudControl

Items[i].Text (CloudControlItem.Text)

The ASPxWebControl.EncodeHtml property is not in effect for the ASPxCloudControl.ItemBeginText and ASPxCloudControl.ItemEndText properties. Pproperty values are not HTML encoded and are rendered as pure HTML markup.

ASPxDataView

ASPxPager‘s buttons texts

The ASPxWebControl.EncodeHtml property is not in effect for the ASPxDataView’s item content. Since item content is defined using templates, use the HttpUtility.HtmlEncode method to encode the template’s HTML.

<ItemTemplate>
    <b>CategoryID</b>:
        <asp:Label ID="CategoryIDLabel" runat="server" Text='<%# System.Web.HttpUtility.HtmlEncode(Eval("CategoryID")) %>' />
</ItemTemplate>

The ASPxWebControl.EncodeHtml property is not in effect for the DataViewPagerSettings.ShowMoreItemsText and ASPxDataViewBase.EmptyDataText properties. Property values are not HTML encoded and are rendered as pure HTML markup.

ASPxPager

AllButton.Text (PagerButtonProperties.Text)

FirstPageButton.Text (PagerButtonProperties.Text)

LastPageButton.Text (PagerButtonProperties.Text)

NextPageButton.Text (PagerButtonProperties.Text)

PrevPageButton.Text (PagerButtonProperties.Text)

The ASPxWebControl.EncodeHtml property is not in effect for the page size item’s caption (PageSizeItemSettings.Caption). This property value is not HTML encoded and is rendered as pure HTML markup.

ASPxHeadline

ASPxHeadline.ContentText

ASPxHeadline.HeaderText

The ASPxWebControl.EncodeHtml property is not in effect for the control’s tail text (ASPxHeadline.TailText). This property value is not HTML encoded and is rendered as pure HTML markup.

The ASPxHeadline.MaxLength property and the ASPxHeadline.TailPosition property (set to KeepWithLastWord) are not in effect if the ASPxWebControl.EncodeHtml property is set to false.

ASPxHint

ASPxHint.Content

ASPxHint.Title

The ASPxWebControl.EncodeHtml property is not in effect for hint content specified on the client side.

ASPxHtmlEditor

ContextMenuItems[i].Text (HtmlEditorContextMenuItem.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

The ASPxWebControl.EncodeHtml is not in effect for ToolbarItemPickerItem.Text and ToolbarItemPickerItem.Value.

ASPxImageGallery

Items[i].Text (ImageGalleryItem.Text)

Items[i].FullScreenViewerText (ImageGalleryItem.FullscreenViewerText)

The ASPxWebControl.EncodeHtml property is not in effect for the ASPxDataViewBase.EmptyDataText and ImageGalleryPagerSettings.ShowMoreItemsText properties. Property values are not HTML encoded and are rendered as pure HTML markup.

ASPxImageSlider

Items[i].Text (ImageSliderItem.Text)

ASPxMenu

Items[i].Text (MenuItem.Text)

ASPxNavBar

Groups[i].Text (NavBarGroup.Text)

Groups[i].Items[i].Text (NavBarItem.Text)

ASPxNewsControl

Items[i].HeaderText (NewsItem.HeaderText)

Items[i].Text (NewsItem.Text)

ASPxPager‘s button texts

The ASPxWebControl.EncodeHtml property is not in effect for the HeadlineSettings.TailText and ASPxDataViewBase.EmptyDataText properties. Property values are not HTML encoded and are rendered as pure HTML markup.

The ItemSettings.MaxLength (ASPxHeadline.MaxLength) property and the ItemSettings.TailPosition property (with HeadlineSettings.TailPosition set to KeepWithLastWord) are not in effect if the ASPxWebControl.EncodeHtml property is set to false.

ASPxPageControl

TabPages[i].Text (TabBase.Text)

ASPxPopupMenu

Items[i].Text (MenuItem.Text)

ASPxPopupControl

ASPxPopupControlBase.HeaderText

ASPxPopupControlBase.FooterText

ASPxPopupControlBase.Text

ASPxRibbon

Tabs[i].Text (RibbonTab.Text)

Tabs[i].Groups[i].Text (RibbonGroup.Text)

Tabs[i].Groups[i].Items[i].Text (RibbonItemBase.Text)

ASPxRichEdit

Elements of the ribbon and popup control

ASPxRoundPanel

ASPxWebControl.EncodeHtml

The ASPxWebControl.EncodeHtml property is not in effect for the ASPxRoundPanel.HeaderText property. This property value is not HTML encoded and is rendered as pure HTML markup.

ASPxSpreadsheet

Elements of the ribbon and popup control

The control’s content is encoded.

ASPxTabControl

Tabs[i].Text (TabBase.Text)

ASPxTitleIndex

Items[i].Text (TitleIndexItem.Text)

The ASPxWebControl.EncodeHtml property is not in effect for the ASPxTitleIndex.NoDataText, FilterBox.Caption and FilterBox.InfoText properties. Property values are not HTML encoded and are rendered as pure HTML markup.

ASPxTreeView

Nodes[i].Text (TreeViewNode.Text)

ASPxUploadControl

AddButton.Text (UploadControlButtonPropertiesBase.Text)

UploadButton.Text (UploadControlButtonPropertiesBase.Text)

RemoveButton.Text (UploadControlButtonPropertiesBase.Text)

BrowseButton.Text (UploadControlButtonPropertiesBase.Text)

CancelButton.Text (UploadControlButtonPropertiesBase.Text)

ASPxValidationSummary

ASPxValidationSummary.HeaderText

To encode error text within ASPxValidationSummary, set the corresponding editor’s EncodeHtml property to true.

EditPropertiesBase.EncodeHtml Property

DevExpress Web Control

Editor element(s) for which the EditPropertiesBase.EncodeHtml property is in effect

Notes

ASPxCalendar

ASPxCalendar.ClearButtonText

ASPxCalendar.TodayButtonText

CalendarFastNavProperties.CancelButtonText

CalendarFastNavProperties.OkButtonText

ValidationSettings.ErrorText

ASPxCheckBox

ASPxCheckBox.Text

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

ASPxCheckBoxList

Items[i].Text (ListEditItem.Text)

Items[i].Value (ListEditItem.Value)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

ASPxColorEdit

buttons[i].Text (EditButton.Text)

ASPxEditBase.Caption

ASPxTextEdit.HelpText

DropDownButton.Text (EditButton.Text)

ClearButtonText.Text (EditButton.Text)

If the EditPropertiesBase.EncodeHtml property is set to false, the color editor’s value (ASPxColorEdit.Value), null text (ASPxColorEdit.NullText) and OK/Cancel buttons (ASPxColorEdit.CancelButtonText/ASPxColorEdit.OkButtonText) are not executed and are converted into corresponding text for display purposes.

ASPxComboBox

Items[i].Text (ListEditItem.Text)

Buttons[i].Text (EditButton.Text)

ASPxTextEdit.HelpText

DropDownButton.Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxAutoCompleteBoxBase.NullText) is not executed and is converted into corresponding text for display purposes.

To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content.

ASPxDateEdit

ASPxEditBase.Caption

ASPxTextEdit.HelpText

Buttons[i].Text (EditButton.Text)

DropDownButton.Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

CalendarProperties.ClearButtonText

CalendarProperties.TodayButtonText

DateEditTimeSectionProperties.OkButtonText

DateEditTimeSectionProperties.CancelButtonText

DateEditTimeSectionProperties.CancelButtonText

CalendarFastNavProperties.OkButtonText

If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxDateEdit.NullText) is not executed and is converted into corresponding text for display purposes.

ASPxDropDownEdit

ASPxEditBase.Caption

ASPxTextEdit.HelpText

Buttons[i].Text (EditButton.Text)

DropDownButton.Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s value (ASPxTextEdit.Text) and null text (ASPxDropDownEdit.NullText) are not executed and are converted into corresponding text for display purposes.

ASPxHyperLink

ASPxHyperLink.Text

ASPxLabel

ASPxLabel.Text

ASPxListBox

Items[i].Text (ListEditItem.Text)

Items[i].Value (ListEditItem.Value)

ASPxEditBase.Caption

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content.

ASPxRadioButton

ASPxCheckBox.Text

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

ASPxRadioButtonList

Items[i].Text (ListEditItem.Text)

Items[i].Value (ListEditItem.Value)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

ASPxSpinEdit

ASPxSpinEdit.Value

ASPxEditBase.Caption

ASPxTextEdit.HelpText

Buttons[i].Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxSpinEdit.NullText) is not executed and is converted into corresponding text for display purposes.

ASPxTimeEdit

ASPxEditBase.Caption

ASPxTextEdit.HelpText

Buttons[i].Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s value (ASPxTimeEdit.Value) and null text (ASPxTimeEdit.NullText) are not executed and are converted into corresponding text for display purposes.

ASPxTokenBox

ASPxTokenBox.Tokens

ListEditItem.Text

ListEditItem.Value

ASPxEditBase.Caption

ASPxTextEdit.HelpText+

If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxTextBox.NullText) is not executed and is converted into corresponding text for display purposes.

To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content.

ASPxMemo.EncodeHtml Property

DevExpress Web Control

Web control’s element(s) for which the ASPxMemo.EncodeHtml property is in effect

Notes

ASPxMemo

ASPxEditBase.Caption

ASPxTextEdit.HelpText

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

If the ASPxMemo.EncodeHtml property is set to false, the editor’s value (ASPxMemo.Text) and null text (ASPxMemo.NullText) are not executed and are converted into corresponding text for display purposes.

ASPxFormLayout.EncodeHtml Property

DevExpress Web Control Web control’s element(s) for which the ASPxFormLayout.EncodeHtml property is in effect
ASPxFormLayout Items[i].Caption (LayoutItemBase.Caption)

ASPxPivotGrid.EncodeHtml Property

DevExpress Web Control

Web control’s element(s) for which the ASPxPivotGrid.EncodeHtml property is in effect

ASPxPivotGrid

Cell values and column/row field values.

Pager button text (for more information, see pager elements for which the EncodeHtml property is in effect).

ASPxTextBoxBase.EncodeHtml Property

DevExpress Web Control

Editor element(s) for which the ASPxTextBoxBase.EncodeHtml property is in effect

Notes

ASPxButtonEdit

ASPxEditBase.Caption

ValidationSettings.ErrorText

ASPxTextEdit.HelpText

Buttons[i].Text (EditButton.Text)

If the ASPxTextBoxBase.EncodeHtml property is set to false, the button edit editor’s value (ASPxTextEdit.Text) and null text (ASPxButtonEdit.NullText) are not executed and are converted into corresponding text for display purposes.

ASPxTextBox

ASPxEditBase.Caption

ValidationSettings.ErrorText

ASPxTextEdit.HelpText

If the ASPxTextBoxBase.EncodeHtml property is set to false, the text box editor’s value (ASPxTextEdit.Text) and null text (ASPxTextBox.NullText) are not executed and are converted into corresponding text for display purposes.

ASPxTrackBar.EncodeHtml Property

DevExpress Web Control

Web control’s element(s) for which the EncodeHtml property is in effect

ASPxTrackBar

Item and tooltip texts.