HTML Encoding | ASP.NET Web Forms Controls

Aug 16, 2024
10 minutes to read

Web browsers can interpret data that contains reserved characters as HTML markup and execute this data as a code. This may create security issues. You should encode data to protect your website from cross-site scripting (XSS) attacks.

DevExpress web controls implement the EncodeHtml property that allows you to encode property values and content. When the EncodeHtml property is enabled, the control displays HTML code as text. The control uses the HttpUtility.HtmlEncode method to replace reserved characters (for example, < and >) with character entity references (< and >).

Unencoded Content

When a control’s EncodeHtml property is set to true, the control encodes data that is loaded from the data source and that users can select or edit.

The control never encodes the following information:

Data that cannot be edited by users
Content specified in templates
Element content and values specified on the client

Call the HttpUtility.HtmlEncode method to encode values that may contain HTML markup:

<dx:ASPxComboBox ID="ComboBoxID" DataSourceID="ContactsDataSource" TextField="Name" runat="server">
    <ItemTemplate>
        <div>
            <%# System.Web.HttpUtility.HtmlEncode(Eval("Name")) %><br />
            <%# System.Web.HttpUtility.HtmlEncode(Eval("Phone")) %>
        </div>
    </ItemTemplate>
</dx:ASPxComboBox>

protected void Page_Load(object sender, EventArgs e) {
    String caption = // A value from an untrusted source
    ComboBoxID.SettingsAdaptivity.ModalDropDownCaption = System.Web.HttpUtility.HtmlEncode(caption);
}

Protected Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs)
    Dim caption As String = ' A value from an untrusted source
    ComboBoxID.SettingsAdaptivity.ModalDropDownCaption = System.Web.HttpUtility.HtmlEncode(caption)
End Sub

Refer to the following sections for information on how DevExpress ASP.NET Web Forms controls implement HTML encoding:

BinaryImage

The ASPxBinaryImage control’s EncodeHtml property specifies whether to encode the following property values:

The ASPxBinaryImage control does not encode the EditingSettings.DropZoneText property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode it.

Button

The ASPxButton control’s EncodeHtml property specifies whether to encode the Text property value.

ButtonEdit

The ASPxButtonEdit control’s EncodeHtml property specifies whether to encode the following property values:

Calendar

The ASPxCalendar control’s EncodeHtml property specifies whether to encode the following property values:

Captcha

The ASPxCaptcha control’s EncodeHtml property specifies whether to encode the following property values:

The ASPxCaptcha control does not encode the LoadingPanel.Text property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode it.

CardView

The ASPxCardView control’s SettingsBehavior.EncodeErrorHtml property specifies whether to encode error texts. A column‘s PropertiesEdit.EncodeHtml property specifies whether to encode column cell values.

Set the SettingsCommandButton.EncodeHtml property to true to encode text strings displayed in command buttons.

CheckBox

The ASPxCheckBox control’s EncodeHtml property specifies whether to encode the following property values:

CheckBoxList

The ASPxCheckBoxList control’s EncodeHtml property specifies whether to encode the following property values:

Caption
CaptionSettings.OptionalMark
CaptionSettings.RequiredMark
ErrorText
Text of individual items
Value of individual items
ValidationSettings.ErrorText
ValidationSettings.RegularExpression.ErrorText
ValidationSettings.RequiredField.ErrorText

CloudControl

The ASPxCloudControl‘s EncodeHtml property specifies whether to encode Text of individual items.

The ASPxCloudControl does not encode ItemBeginText and ItemEndText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

ColorEdit

The ASPxColorEdit control’s EncodeHtml property specifies whether to encode the following property values:

ComboBox

The ASPxComboBox control’s EncodeHtml property specifies whether to encode the following property values:

Caption
CaptionSettings.OptionalMark
CaptionSettings.RequiredMark
ClearButton.Text
DropDownButton.Text
ErrorText
HelpText
Text
Text of individual buttons
Text of individual items
Value
Value of individual items
ValidationSettings.ErrorText
ValidationSettings.RegularExpression.ErrorText
ValidationSettings.RequiredField.ErrorText

The ASPxComboBox control does not encode the following property values:

The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

DateEdit

The ASPxDateEdit control’s EncodeHtml property specifies whether to encode the following property values:

The ASPxDateEdit control does not encode the SettingsAdaptivity.ModalDropDownCaption property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode it.

DataView

The ASPxDataView control’s EncodeHtml property specifies whether to encode the pager‘s button captions.

The ASPxDataView control does not encode ShowMoreItemsText and EmptyDataText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

Diagram

The ASPxDiagram control’s EncodeHtml property specifies whether to encode Title of individual custom shapes.

DropDownEdit

The ASPxDropDownEdit control’s EncodeHtml property specifies whether to encode the following property values:

The ASPxDropDownEdit control does not encode the SettingsAdaptivity.ModalDropDownCaption property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode it.

FilterControl

A column‘s PropertiesEdit.EncodeHtml property specifies whether to encode column cell values in the ASPxFilterControl.

The ASPxFilterControl control does not encode the following property values:

DisplayName of individual columns
PropertiesEdit.NullDisplayText of individual columns
SettingsLoadingPanel.Text

The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

FormLayout

The ASPxFormLayout control’s EncodeHtml property specifies whether to encode Caption of individual items.

Gantt

The ASPxGantt control does not encode Caption of individual columns in the Task List. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

GridView

The ASPxGridView control’s PreviewEncodeHtml property specifies whether to encode text strings displayed in preview rows. The SettingsBehavior.EncodeErrorHtml property specifies whether to encode the control’s error texts.

A data column’s PropertiesEdit.EncodeHtml property specifies whether to encode column cell values. Enable the SettingsCommandButton.EncodeHtml property to encode text strings displayed in command buttons.

The ASPxGridView control does not encode Caption of individual columns. The control renders these property values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

Headline

The ASPxHeadline control’s EncodeHtml property specifies whether to encode the following property values:

The ASPxHeadline control does not encode the TailText property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode it.

Hint

The ASPxHint control’s EncodeHtml property specifies whether to encode the following property values:

HtmlEditor

The ASPxHtmlEditor control’s EncodeHtml property specifies whether to encode the following property values:

Text of individual context menu items
SettingsValidation.ErrorText
SettingsValidation.RequiredField.ErrorText

The ASPxHtmlEditor control does not encode Text and Value property values of individual toolbar custom items. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

HyperLink

The ASPxHyperLink control’s EncodeHtml property specifies whether to encode the Text property value.

ImageGallery

The ASPxImageGallery control’s EncodeHtml property specifies whether to encode the following property values:

FullscreenViewerText of individual items
Text of individual items

The ASPxImageGallery control does not encode EmptyDataText and PagerSettings.ShowMoreItemsText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

ImageSlider

The ASPxImageSlider control’s EncodeHtml property specifies whether to encode Text of individual items.

Label

The ASPxLabel control’s EncodeHtml property specifies whether to encode Text and Value property values.

ListBox

The ASPxListBox control’s EncodeHtml property specifies whether to encode the following property values:

Caption
CaptionSettings.OptionalMark
CaptionSettings.RequiredMark
ErrorText
Text of individual items
Value of individual items
ValidationSettings.ErrorText
ValidationSettings.RegularExpression.ErrorText
ValidationSettings.RequiredField.ErrorText

The ASPxListBox control does not encode the following property values:

The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

Memo

The ASPxMemo control’s EncodeHtml property specifies whether to encode the following property values:

The ASPxMenu control’s EncodeHtml property specifies whether to encode Text of individual items.

The ASPxNavBar control’s EncodeHtml property specifies whether to encode the following property values:

Text of individual groups
Text of individual group items

NewsControl

The ASPxNewsControl‘s EncodeHtml property specifies whether to encode the following property values:

Text of individual items
HeaderText of individual items
ASPxPager‘s button captions

The ASPxNewsControl does not encode ItemSettings.TailText and EmptyDataText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

The ASPxPager control’s EncodeHtml property specifies whether to encode the following property values:

The ASPxPager control does not encode the PageSizeItemSettings.Caption property value. The control renders the value as HTML markup. Call the HttpUtility.HtmlEncode method to encode it.

PageControl

The ASPxPageControl‘s EncodeHtml property specifies whether to encode Text of individual tab pages.

PivotGrid

The ASPxPivotGrid control’s EncodeHtml property specifies whether to encode the following property values:

Cell values and column/row cell values
ASPxPager‘s button captions

PopupControl

The ASPxPopupControl‘s EncodeHtml property specifies whether to encode the following property values:

PopupMenu

The ASPxPopupMenu control’s EncodeHtml property specifies whether to encode Text of individual items.

RadioButton

The ASPxRadioButton control’s EncodeHtml property specifies whether to encode the following property values:

RadioButtonList

The ASPxRadioButtonList control’s EncodeHtml property specifies whether to encode the following property values:

Caption
CaptionSettings.OptionalMark
CaptionSettings.RequiredMark
ErrorText
Text of individual items
Value of individual items
ValidationSettings.ErrorText
ValidationSettings.RegularExpression.ErrorText
ValidationSettings.RequiredField.ErrorText

Ribbon

The ASPxRibbon control’s EncodeHtml property specifies whether to encode the following property values:

Text of individual tabs
Text of individual tab groups
Text of individual group items

RichEdit

The ASPxRichEdit control’s EncodeHtml property specifies whether to encode ribbon and popup control elements.

RoundPanel

The ASPxRoundPanel control’s EncodeHtml property is not in effect, when the View property value is set to Standard. If this property value is set to GroupBox, the control’s EncodeHtml property specifies whether to encode the HeaderText property value.

SpinEdit

The ASPxSpinEdit control’s EncodeHtml property specifies whether to encode the following property values:

Spreadsheet

The ASPxSpreadsheet control’s EncodeHtml property specifies whether to encode ribbon and popup control elements.

TabControl

The ASPxTabControl‘s EncodeHtml property specifies whether to encode Text of individual tabs.

TextBox

The ASPxTextBox control’s EncodeHtml property specifies whether to encode the following property values:

TimeEdit

The ASPxTimeEdit control’s EncodeHtml property specifies whether to encode the following property values:

TitleIndex

The ASPxTitleIndex control’s EncodeHtml property specifies whether to encode Text of individual items.

The ASPxTitleIndex control does not encode the following property values:

The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode them.

TokenBox

The ASPxTokenBox control’s EncodeHtml property specifies whether to encode the following property values:

Caption
CaptionSettings.OptionalMark
CaptionSettings.RequiredMark
ErrorText
HelpText
Tokens
Text of individual items
Value of individual items
ValidationSettings.ErrorText
ValidationSettings.RegularExpression.ErrorText
ValidationSettings.RequiredField.ErrorText

The ASPxTokenBox control does not encode the SettingsLoadingPanel.Text property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode it.

TrackBar

The ASPxTrackBar control’s EncodeHtml property specifies whether to encode the following property values:

Caption
CaptionSettings.OptionalMark
CaptionSettings.RequiredMark
ErrorText
Text of individual items
Tooltip of individual items
ValidationSettings.ErrorText
ValidationSettings.RegularExpression.ErrorText
ValidationSettings.RequiredField.ErrorText

TreeList

The ASPxTreeList control’s PreviewEncodeHtml property specifies whether to encode text strings displayed in preview rows. The SettingsBehavior.EncodeErrorHtml property specifies whether to encode the control’s error texts.

Set a column‘s PropertiesEdit.EncodeHtml property to true to encode column cell values.

TreeView

The ASPxTreeView control’s EncodeHtml property specifies whether to encode Text of individual nodes.

UploadControl

The ASPxUploadControl‘s EncodeHtml property specifies whether to encode the following property values:

ValidationSummary

The ASPxValidationSummary control’s EncodeHtml property specifies whether to encode the HeaderText property value.

The control summarizes validation errors from multiple editors and displays them in a single block. Set an editor’s EncodeHtml property to true to encode the editor’s error text in the ASPxValidationSummary.

VerticalGrid

The ASPxVerticalGrid control’s SettingsBehavior.EncodeErrorHtml property specifies whether to encode error texts. A row‘s PropertiesEdit.EncodeHtml property specifies whether to encode row cell values.

Set the SettingsCommandButton.EncodeHtml property to true to encode text strings displayed in command buttons.