HTML Encoding
- 9 minutes to read
Web browsers can interpret data that contains reserved characters as HTML markup and execute this data as a code. You should encode data to prevent this behavior and protect a website from cross-site scripting (XSS) attacks.
DevExpress web controls implement an EncodeHtml property that allows you to encode the control’s value and element content. When the property is set to true
, the control converts angle brackets (<
and >
characters) to character entity references (<
and >
) and displays HTML code as text.
The EncodeHtml property ignores values and element content specified on the client.
This topic consists of sections that describe how HTML encoding is implemented in a particular DevExpress ASP.NET Web Forms control.
BinaryImage
The EncodeHtml property encodes the following ASPxBinaryImage property values:
Button
The EncodeHtml property encodes an ASPxButton control’s Text property value.
ButtonEdit
The EncodeHtml property encodes the following ASPxButtonEdit property values:
- Caption
- HelpText
- Text of individual buttons
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The control always encodes its Text and NullText property values.
Calendar
The EncodeHtml property encodes the following ASPxCalendar property values:
- ClearButtonText
- TodayButtonText
- FastNavProperties.CancelButtonText
- FastNavProperties.OkButtonText
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
Captcha
The EncodeHtml property encodes the following ASPxCaptcha property values:
- RefreshButton.Text
- TextBox.LabelText
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The control always encodes its TextBox.NullText property value.
CardView
A column‘s PropertiesEdit.EncodeHtml property encodes column cell values in an ASPxCardView control.
The SettingsBehavior.EncodeErrorHtml encodes the control’s error texts. Set the SettingsCommandButton.EncodeHtml property to true
to encode a command button‘s text.
CheckBox
The EncodeHtml property encodes the following ASPxCheckBox property values:
CheckBoxList
The EncodeHtml property encodes the following ASPxCheckBoxList property values:
- Text of individual items
- Value of individual items
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
CloudControl
The EncodeHtml property encodes Text of individual items in an ASPxCloudControl control.
The control does not encode the control’s ItemBeginText and ItemEndText property values and renders these values as HTML markup.
ColorEdit
The EncodeHtml property encodes the following ASPxColorEdit property values:
- Caption
- HelpText
- Text of individual buttons
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- DropDownButton.Text
Values of the following properties are always encoded:
ComboBox
The EncodeHtml property encodes the following ASPxComboBox property values:
- Caption
- HelpText
- Text of individual buttons
- Text of individual items
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- DropDownButton.Text
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The control always encodes its NullText property value.
The EncodeHtml property is not in effect for item template content. Call the HttpUtility.HtmlEncode method to encode it.
<dx:ASPxComboBox ID="ComboBox" DataSourceID="ContactsDataSource" runat="server">
<ItemTemplate>
<b>CategoryID</b>:
<asp:Label ID="CategoryIDLabel" runat="server"
Text='<%# System.Web.HttpUtility.HtmlEncode(Eval("Phone")) %>' />
</ItemTemplate>
</dx:ASPxComboBox>
DateEdit
The EncodeHtml property encodes the following ASPxDateEdit property values:
- Caption
- HelpText
- Text of individual buttons
- ClearButton.Text
- DropDownButton.Text
- CalendarProperties.ClearButtonText
- CalendarProperties.TodayButtonText
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- TimeSectionProperties.CancelButtonText
- TimeSectionProperties.OkButtonText
- ValidationSettings.ErrorText
- CalendarProperties.FastNavProperties.CancelButtonText
- CalendarProperties.FastNavProperties.OkButtonText
- ValidationSettings.RequiredField.ErrorText
The control always encodes its NullText property value.
DataView
The EncodeHtml property encodes the pager‘s button captions of an ASPxDataView control.
The EncodeHtml property is not in effect for item template content. Call the HttpUtility.HtmlEncode method to encode it.
<dx:ASPxDataView ID="ASPxDataView" runat="server" DataSourceID="XmlDataSource1" >
<ItemTemplate>
<b>CategoryID</b>:
<asp:Label ID="CategoryIDLabel" runat="server"
Text='<%# System.Web.HttpUtility.HtmlEncode(Eval("Name")) %>' />
</ItemTemplate>
</dx:ASPxDataView>
The control does not encode the ShowMoreItemsText and EmptyDataText property values and renders these values as HTML markup.
Diagram
The EncodeHtml property encodes Title of individual custom shapes in an ASPxDiagram control.
The control always encodes the following property values:
- DefaultText of individual custom shapes
- Title of individual toolbox groups
- The shape’s content (except for templates that are specified on the client)
DropDownEdit
The EncodeHtml property encodes the following ASPxDropDownEdit property values:
- Caption
- HelpText
- Text of individual buttons
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- DropDownButton.Text
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The control always encodes its Text and NullText property values.
FilterControl
A column‘s PropertiesEdit.EncodeHtml property encodes column cell values in an ASPxFilterControl control.
FormLayout
The EncodeHtml property encodes Caption of individual items in an ASPxFormLayout control.
Gantt
An ASPxGantt control always encodes the following property values:
- Resources
- Hints of the tasks
- Titles of the tasks
- Text of individual toolbar items
The control does not encode the Caption and ToolTip property values of individual columns in the Task List and renders these values as HTML markup.
GridView
Set a column‘s PropertiesEdit.EncodeHtml property to true
to encode column cell values in an ASPxGridView control.
The SettingsBehavior.EncodeErrorHtml property encodes the control’s error texts.
Headline
The EncodeHtml property encodes the following ASPxHeadline property values:
The control does not encode the TailText property value and renders this value as HTML markup.
If the EncodeHtml property is set to false
, the following properties are not in effect:
- MaxLength
- TailPosition, if its value is
KeepWithLastWord
Hint
The EncodeHtml property encodes the following ASPxHint property values:
The EncodeHtml property is not in effect for hint content specified on the client side.
HtmlEditor
The EncodeHtml property encodes the following ASPxHtmlEditor property values:
- Text of individual context menu items
- SettingsValidation.ErrorText
- SettingsValidation.RequiredField.ErrorText
The control does not encode Text and Value property values of individual toolbar custom items and renders these values as HTML markup.
HyperLink
The EncodeHtml property encodes an ASPxHyperLink control’s Text property value.
ImageGallery
The EncodeHtml property encodes the following ASPxImageGallery property values:
- FullscreenViewerText of individual items
- Text of individual items
The control does not encode the following property values and renders these values as HTML markup:
ImageSlider
The EncodeHtml property encodes Text of individual items in an ASPxImageSlider control.
Label
The EncodeHtml property encodes an ASPxLabel control’s Text property value.
ListBox
The EncodeHtml property encodes the following ASPxListBox property values:
- Caption
- Text of individual items
- Value of individual items
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The EncodeHtml property is not in effect for item template content. Call the HttpUtility.HtmlEncode method to encode it.
<dx:ASPxListBox ID="lbFeatures" runat="server" DataSourceID="Features">
<ItemTemplate>
<b>CategoryID</b>:
<asp:Label ID="CategoryIDLabel" runat="server"
Text='<%# System.Web.HttpUtility.HtmlEncode(Eval("ID")) %>' />
</ItemTemplate>
</dx:ASPxListBox>
Memo
The EncodeHtml property encodes the following ASPxMemo property values:
- Caption
- HelpText
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The control always encodes its Text and NullText property values.
Menu
The EncodeHtml property encodes Text of individual items in an ASPxMenu control.
NavBar
The EncodeHtml property encodes the following ASPxNavBar property values:
- Text of individual groups
- Text of individual group items
NewsControl
The EncodeHtml property encodes the following ASPxNewsControl property values:
- Text of individual items
- HeaderText of individual items
- ASPxPager‘s button captions
The control does not encode the ItemSettings.TailText and EmptyDataText property values and renders these values as HTML markup.
If the EncodeHtml property is set to false
, the following properties are not in effect:
- ItemSettings.MaxLength
- ItemSettings.TailPosition, if its value is
KeepWithLastWord
Pager
The EncodeHtml property encodes the following ASPxPager property values:
The control does not encode the page size item‘s Caption property value and renders this value as HTML markup.
PageControl
The EncodeHtml property encodes Text of individual tab pages in an ASPxPageControl control.
PivotGrid
The EncodeHtml property encodes the following ASPxPivotGrid property values:
PopupControl
The EncodeHtml property encodes the following ASPxPopupControl property values:
PopupMenu
The EncodeHtml property encodes the Text of individual items in an ASPxPopupMenu control.
RadioButton
The EncodeHtml property encodes the following ASPxRadioButton property values:
RadioButtonList
The EncodeHtml property encodes the following ASPxRadioButtonList property values:
- Caption
- Text of individual items
- Value of individual items
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
Ribbon
The EncodeHtml property encodes the following ASPxRibbon property values:
- Text of individual tabs
- Text of individual tab groups
- Text of individual group items
RichEdit
The EncodeHtml property encodes ribbon and popup control elements of an ASPxRichEdit control. The control always encodes its content.
RoundPanel
An ASPxRoundPanel control’s EncodeHtml property is not in effect, when the View property value is set to Standard
. If the View property value is set to GroupBox
, the EncodeHtml property encodes the HeaderText property value.
SpinEdit
The EncodeHtml property encodes the following ASPxSpinEdit property values:
- Caption
- HelpText
- Value
- Text of individual buttons
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The control always encodes its NullText property value.
Spreadsheet
The EncodeHtml property encodes the ribbon and popup control elements of an ASPxSpreadsheet control. The control always encodes its content.
TabControl
The EncodeHtml property encodes Text of individual tabs in an ASPxTabControl control.
TextBox
The EncodeHtml property encodes the following ASPxTextBox property values:
- Caption
- HelpText
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The control always encodes its Text and NullText property values.
TimeEdit
The EncodeHtml property encodes the following ASPxTimeEdit property values:
- Caption
- HelpText
- Text of individual buttons
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The control always encodes its Value and NullText property values.
TitleIndex
The EncodeHtml property encodes Text of individual items in an ASPxTitleIndex control.
The control does not encode the following property values and renders these values as HTML markup:
TokenBox
The EncodeHtml property encodes the following ASPxTokenBox property values:
- Caption
- HelpText
- Tokens
- Text of individual items
- Value of individual items
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
The control always encodes its NullText property value.
The EncodeHtml property is not in effect for item template content. Call the HttpUtility.HtmlEncode method to encode it.
<dx:ASPxTokenBox ID="ASPxTokenBox1" runat="server" DataSourceID="AddressBookXml">
<ItemTemplate>
<b>CategoryID</b>:
<asp:Label ID="CategoryIDLabel" runat="server"
Text='<%# System.Web.HttpUtility.HtmlEncode(Eval("Email")) %>' />
</ItemTemplate>
</dx:ASPxTokenBox>
TrackBar
The EncodeHtml property encodes the following ASPxTrackBar property values:
- Caption
- Text of individual items
- Tooltip of individual items
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
TreeList
Set a column‘s PropertiesEdit.EncodeHtml property to true
to encode column cell values in an ASPxTreeList control.
The SettingsBehavior.EncodeErrorHtml property encodes the control’s error texts.
TreeView
The EncodeHtml property encodes Text of individual nodes in an ASPxTreeView control.
UploadControl
The EncodeHtml property encodes the following ASPxUploadControl property values:
ValidationSummary
The EncodeHtml property encodes an ASPxValidationSummary control’s HeaderText property value.
The control summarizes validation errors from multiple editors and displays them in a single block. Set an editor’s EncodeHtml property to true
to encode the editor’s error text in the ASPxValidationSummary.
VerticalGrid
Set a row‘s PropertiesEdit.EncodeHtml property to true
to encode the row’s cell values in an ASPxVerticalGrid control.
The SettingsBehavior.EncodeErrorHtml property encodes the control’s error texts.