HTML Encoding
- 7 minutes to read
To protect a website from cross-site scripting (XSS) attacks, HTML markup should be encoded (certain characters are converted to an alternate format). This conversion prevents the use of unsafe tags in HTML markup such as <script>
or <img>
(for example, <img onload=...>
).
Use the EncodeHtml property to encode a DevExpress web control’s value and element content. If the control’s EncodeHtml property is set to true
, the value and element content that contain HTML code are parsed. An HTML tag’s angle bracket (the <
and >
characters) are converted to specific symbols (<
and >
) when the control renders its value and elements to the page. The result is that HTML code is displayed on the page as text. Note that the EncodeHtml property does not encode a control’s value and elements specified on the client side.
Follow the links below to view control elements for which corresponding EncodeHtml properties are available:
- ASPxWebControl.EncodeHtml Property
- EditPropertiesBase.EncodeHtml Property
- ASPxMemo.EncodeHtml Property
- ASPxFormLayout.EncodeHtml Property
- ASPxPivotGrid.EncodeHtml Property
- ASPxTextBoxBase.EncodeHtml Property
ASPxGridView, ASPxCardView, ASPxVerticalGrid, ASPxTreeList and ASPxFilterControl controls do not have an EncodeHtml property. Use the following properties to encode data in these controls:
A column’s EncodeHtml property encodes data column field values.
The EncodeErrorHtml property specifies whether a grid renders error text as HTML or as text (i.e., it removes HTML tags).
ASPxWebControl.EncodeHtml Property
DevExpress Web Control | Web control’s element(s) for which the ASPxWebControl.EncodeHtml property is in effect | Notes |
---|---|---|
CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | ||
CaptchaValidationSettings.ErrorText ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | If the ASPxWebControl.EncodeHtml property is false, the control’s null text (CaptchaTextBoxProperties.NullText) is not executed. It is converted into text for display purposes. | |
Items[i].Text (CloudControlItem.Text) | The ASPxWebControl.EncodeHtml property is not in effect for the ASPxCloudControl.ItemBeginText and ASPxCloudControl.ItemEndText properties. Pproperty values are not HTML encoded and are rendered as pure HTML markup. | |
ASPxPager‘s buttons texts | The ASPxWebControl.EncodeHtml property is not in effect for the ASPxDataView’s item content. Since item content is defined using templates, use the HttpUtility.HtmlEncode method to encode the template’s HTML.
The ASPxWebControl.EncodeHtml property is not in effect for the DataViewPagerSettings.ShowMoreItemsText and ASPxDataViewBase.EmptyDataText properties. Property values are not HTML encoded and are rendered as pure HTML markup. | |
AllButton.Text (PagerButtonProperties.Text) FirstPageButton.Text (PagerButtonProperties.Text) LastPageButton.Text (PagerButtonProperties.Text) NextPageButton.Text (PagerButtonProperties.Text) PrevPageButton.Text (PagerButtonProperties.Text) | The ASPxWebControl.EncodeHtml property is not in effect for the page size item’s caption (PageSizeItemSettings.Caption). This property value is not HTML encoded and is rendered as pure HTML markup. | |
The ASPxWebControl.EncodeHtml property is not in effect for the control’s tail text (ASPxHeadline.TailText). This property value is not HTML encoded and is rendered as pure HTML markup. The ASPxHeadline.MaxLength property and the ASPxHeadline.TailPosition property (set to KeepWithLastWord) are not in effect if the ASPxWebControl.EncodeHtml property is set to false. | ||
The ASPxWebControl.EncodeHtml property is not in effect for hint content specified on the client side. | ||
ContextMenuItems[i].Text (HtmlEditorContextMenuItem.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | The ASPxWebControl.EncodeHtml is not in effect for ToolbarItemPickerItem.Text and ToolbarItemPickerItem.Value. | |
Items[i].Text (ImageGalleryItem.Text) Items[i].FullScreenViewerText (ImageGalleryItem.FullscreenViewerText) | The ASPxWebControl.EncodeHtml property is not in effect for the ASPxDataViewBase.EmptyDataText and ImageGalleryPagerSettings.ShowMoreItemsText properties. Property values are not HTML encoded and are rendered as pure HTML markup. | |
Items[i].Text (ImageSliderItem.Text) | ||
Items[i].Text (MenuItem.Text) | ||
Groups[i].Text (NavBarGroup.Text) Groups[i].Items[i].Text (NavBarItem.Text) | ||
Items[i].HeaderText (NewsItem.HeaderText) Items[i].Text (NewsItem.Text) ASPxPager‘s button texts | The ASPxWebControl.EncodeHtml property is not in effect for the HeadlineSettings.TailText and ASPxDataViewBase.EmptyDataText properties. Property values are not HTML encoded and are rendered as pure HTML markup. The ItemSettings.MaxLength (ASPxHeadline.MaxLength) property and the ItemSettings.TailPosition property (with HeadlineSettings.TailPosition set to KeepWithLastWord) are not in effect if the ASPxWebControl.EncodeHtml property is set to false. | |
TabPages[i].Text (TabBase.Text) | ||
Items[i].Text (MenuItem.Text) | ||
ASPxPopupControlBase.HeaderText | ||
Tabs[i].Text (RibbonTab.Text) Tabs[i].Groups[i].Text (RibbonGroup.Text) Tabs[i].Groups[i].Items[i].Text (RibbonItemBase.Text) | ||
Elements of the ribbon and popup control | ||
The ASPxWebControl.EncodeHtml property is not in effect for the ASPxRoundPanel.HeaderText property. This property value is not HTML encoded and is rendered as pure HTML markup. | ||
Elements of the ribbon and popup control | The control’s content is encoded. | |
Tabs[i].Text (TabBase.Text) | ||
Items[i].Text (TitleIndexItem.Text) | The ASPxWebControl.EncodeHtml property is not in effect for the ASPxTitleIndex.NoDataText, FilterBox.Caption and FilterBox.InfoText properties. Property values are not HTML encoded and are rendered as pure HTML markup. | |
Nodes[i].Text (TreeViewNode.Text) | ||
AddButton.Text (UploadControlButtonPropertiesBase.Text) UploadButton.Text (UploadControlButtonPropertiesBase.Text) RemoveButton.Text (UploadControlButtonPropertiesBase.Text) BrowseButton.Text (UploadControlButtonPropertiesBase.Text) CancelButton.Text (UploadControlButtonPropertiesBase.Text) | ||
To encode error text within ASPxValidationSummary, set the corresponding editor’s EncodeHtml property to true. |
EditPropertiesBase.EncodeHtml Property
DevExpress Web Control | Editor element(s) for which the EditPropertiesBase.EncodeHtml property is in effect | Notes |
---|---|---|
CalendarFastNavProperties.CancelButtonText | ||
ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | ||
Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | ||
buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButtonText.Text (EditButton.Text) | If the EditPropertiesBase.EncodeHtml property is set to false, the color editor’s value (ASPxColorEdit.Value), null text (ASPxColorEdit.NullText) and OK/Cancel buttons (ASPxColorEdit.CancelButtonText/ASPxColorEdit.OkButtonText) are not executed and are converted into corresponding text for display purposes. | |
Items[i].Text (ListEditItem.Text) Buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxAutoCompleteBoxBase.NullText) is not executed and is converted into corresponding text for display purposes. To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content. | |
Buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) CalendarProperties.ClearButtonText CalendarProperties.TodayButtonText DateEditTimeSectionProperties.OkButtonText DateEditTimeSectionProperties.CancelButtonText | If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxDateEdit.NullText) is not executed and is converted into corresponding text for display purposes. | |
Buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s value (ASPxTextEdit.Text) and null text (ASPxDropDownEdit.NullText) are not executed and are converted into corresponding text for display purposes. | |
Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content. | |
ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | ||
Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | ||
Buttons[i].Text (EditButton.Text) ClearButton.Text (EditButton.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxSpinEdit.NullText) is not executed and is converted into corresponding text for display purposes. | |
Buttons[i].Text (EditButton.Text) ClearButton.Text (EditButton.Text) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s value (ASPxTimeEdit.Value) and null text (ASPxTimeEdit.NullText) are not executed and are converted into corresponding text for display purposes. | |
If the EditPropertiesBase.EncodeHtml property is set to false, the editor’s null text (ASPxTextBox.NullText) is not executed and is converted into corresponding text for display purposes. To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content. |
ASPxMemo.EncodeHtml Property
DevExpress Web Control | Web control’s element(s) for which the ASPxMemo.EncodeHtml property is in effect | Notes |
---|---|---|
CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText) | If the ASPxMemo.EncodeHtml property is set to false, the editor’s value (ASPxMemo.Text) and null text (ASPxMemo.NullText) are not executed and are converted to corresponding text for display purposes. The ASPxMemo editor does not encodes the input value. |
ASPxFormLayout.EncodeHtml Property
DevExpress Web Control | Web control’s element(s) for which the ASPxFormLayout.EncodeHtml property is in effect |
---|---|
ASPxFormLayout | Items[i].Caption (LayoutItemBase.Caption) |
ASPxPivotGrid.EncodeHtml Property
DevExpress Web Control | Web control’s element(s) for which the ASPxPivotGrid.EncodeHtml property is in effect |
---|---|
Cell values and column/row field values. Pager button text (for more information, see pager elements for which the EncodeHtml property is in effect). |
ASPxTextBoxBase.EncodeHtml Property
DevExpress Web Control | Editor element(s) for which the ASPxTextBoxBase.EncodeHtml property is in effect | Notes |
---|---|---|
Buttons[i].Text (EditButton.Text) | If the ASPxTextBoxBase.EncodeHtml property is set to false, the button edit editor’s value (ASPxTextEdit.Text) and null text (ASPxButtonEdit.NullText) are not executed and are converted into corresponding text for display purposes. | |
If the ASPxTextBoxBase.EncodeHtml property is set to false, the text box editor’s value (ASPxTextEdit.Text) and null text (ASPxTextBox.NullText) are not executed and are converted into corresponding text for display purposes. |
ASPxTrackBar.EncodeHtml Property
DevExpress Web Control | Web control’s element(s) for which the EncodeHtml property is in effect |
---|---|
Item and tooltip texts. |