HTML Encoding
- 12 minutes to read
Web browsers can interpret data with reserved characters as HTML markup and execute it as code. Improper handling of reserved characters/untrusted values can introduce numerous security risks (such as CWE-80 and CWE-20). Always encode data to protect your application from cross-site scripting (XSS) attacks.
The following methods allow you to manually encode untrusted values:
- HtmlAttributeEncode
- Call this method to encode a value before you assign it to an HTML attribute.
- HtmlEncode
- Call this method to encode a value before you insert it in HTML output.
- JavaScriptStringEncode
- Call this method to encode a value before you use it in a script.
- UrlEncode
- Call this method to encode a value before you use it to generate a URL.
DevExpress ASP.NET Web Forms controls include built-in mechanisms to encode executable content. This topic describes our encoding logic and documents best practices designed to reduce XSS-related security risks.
#Encode Page Title
Encode database values or user input before you assign it to a page title:
protected void Page_Load(object sender, EventArgs e) {
var ds = SqlDataSource1.Select(new System.Web.UI.DataSourceSelectArguments()) as DataView;
var value = ds[0]["ProductName"];
Title = "Product: " + HttpUtility.HtmlEncode(value).ToString();
}
#Encode Callback Data
To prevent possible script injections, encode callback data sent from the server to the client. The following example encodes values that the ASPxCallback control sends on callbacks:
<dx:ASPxCallback runat="server" ID="CallbackControl" OnCallback="Callback_Callback" ClientInstanceName="callbackControl">
<ClientSideEvents CallbackComplete="function(s, e) {
document.getElementById('namePlaceholder').innerHTML = e.result;
if(callbackControl.cpSomeInfo)
document.getElementById('someInfo').innerHTML = callbackControl.cpSomeInfo;
}" />
</dx:ASPxCallback>
protected void Callback_Callback(object source, DevExpress.Web.CallbackEventArgs e) {
e.Result = HttpUtility.HtmlEncode("an untrusted value");
CallbackControl.JSProperties["cpSomeInfo"] = HttpUtility.HtmlEncode("an untrusted value");
}
#Sanitize Links
Ensure that values do not include dangerous content (such as JavaScript code) before you assign the value to a hyperlink’s href attribute.
DevExpress Grid-like controls remove potentially dangerous content from hyperlink columns. You should not override this behavior. Do not set a column’s RemovePotentiallyDangerousNavigateUrl to False
because it can introduce security-related issues.
<dx:ASPxGridView ID="grid" runat="server" DataSourceID="CustomersDataSource" KeyFieldName="CustomerID">
<Columns>
<dx:GridViewDataColumn FieldName="ContactName" />
<dx:GridViewDataColumn FieldName="CompanyName" />
<dx:GridViewDataColumn FieldName="City" />
<dx:GridViewDataColumn FieldName="Region" />
<dx:GridViewDataColumn FieldName="Country" />
<dx:GridViewDataHyperLinkColumn FieldName="CompanySite">
<PropertiesHyperLinkEdit RemovePotentiallyDangerousNavigateUrl="True" />
</dx:GridViewDataHyperLinkColumn>
</Columns>
</dx:ASPxGridView>
#Encode Contents of DevExpress Controls
When the EncodeHtml
property is enabled, DevExpress Web Forms controls encode data loaded from a data source. Our Web Forms controls use the HttpUtility.HtmlEncode method to replace reserved characters (for example, <
and >
) with character entity references (<
and >
).
DevExpress Web Forms controls do not encode the following:
- Data that cannot be edited by users (for instance, column captions and custom header filter items)
- Content specified in templates
- Element content and values specified on the client
Always call the HttpUtility.HtmlEncode method to encode values with HTML markup:
<dx:ASPxComboBox ID="ComboBoxID" DataSourceID="ContactsDataSource" TextField="Name" runat="server">
<ItemTemplate>
<div>
<%# System.Web.HttpUtility.HtmlEncode(Eval("Name")) %><br />
<%# System.Web.HttpUtility.HtmlEncode(Eval("Phone")) %>
</div>
</ItemTemplate>
</dx:ASPxComboBox>
protected void Page_Load(object sender, EventArgs e) {
String caption = // A value from an untrusted source
ComboBoxID.SettingsAdaptivity.ModalDropDownCaption = System.Web.HttpUtility.HtmlEncode(caption);
}
Refer to the following sections to learn how DevExpress ASP.NET Web Forms controls encode HTML.
#BinaryImage
Use the ASPxBinaryImage control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ErrorText
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The ASPxBinaryImage control does not encode the EditingSettings.DropZoneText property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#Button
Use the ASPxButton control’s EncodeHtml property to encode the Text property value.
#ButtonEdit
Use the ASPxButtonEdit control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- ErrorText
- HelpText
- MaskSettings.ErrorText
- Text used for individual buttons
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#Calendar
Use the ASPxCalendar control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButtonText
- ErrorText
- FastNavProperties.CancelButtonText
- FastNavProperties.OkButtonText
- TodayButtonText
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#Captcha
Use the ASPxCaptcha control’s EncodeHtml property to encode the following property values:
- RefreshButton.Text
- TextBox.LabelText
- ValidationSettings.ErrorText
- ValidationSettings.RequiredField.ErrorText
The ASPxCaptcha control does not encode the LoadingPanel.Text property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#CardView
Use the ASPxCardView control’s SettingsBehavior.EncodeErrorHtml property to encode error text. A column‘s PropertiesEdit.EncodeHtml property specifies whether to encode column cell values.
To encode text strings displayed within command buttons, set the SettingsCommandButton.EncodeHtml property to true
.
The ASPxCardView control does not encode custom header filter item values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#CheckBox
Use the ASPxCheckBox control’s EncodeHtml property to encode the following property values:
- ErrorText
- Text
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#CheckBoxList
Use the ASPxCheckBoxList control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ErrorText
- Text used for individual items
- Value of individual items
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#CloudControl
Use the ASPxCloudControl‘s EncodeHtml property to encode Text associated with individual items.
The ASPxCloudControl does not encode ItemBeginText and ItemEndText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#ColorEdit
Use the ASPxColorEdit control’s EncodeHtml property to encode the following property values:
- AutomaticColorItemCaption
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- CustomColorButtonText
- DropDownButton.Text
- ErrorText
- HelpText
- Text used for individual buttons
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#ComboBox
Use the ASPxComboBox control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- DropDownButton.Text
- ErrorText
- HelpText
- Text
- Text used for individual buttons
- Text used for individual items
- Value
- Value of individual items
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
The ASPxComboBox control does not encode the following property values:
- Caption used for individual columns
- SettingsAdaptivity.ModalDropDownCaption
- SettingsLoadingPanel.Text
The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#DateEdit
Use the ASPxDateEdit control’s EncodeHtml property to encode the following property values:
- CalendarProperties.ClearButtonText
- CalendarProperties.FastNavProperties.CancelButtonText
- CalendarProperties.FastNavProperties.OkButtonText
- CalendarProperties.TodayButtonText
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- DateRangeSettings.ErrorTextDaysPlaceholder
- DateRangeSettings.ErrorTextDecadesPlaceholder
- DateRangeSettings.ErrorTextMonthsPlaceholder
- DateRangeSettings.ErrorTextYearsPlaceholder
- DateRangeSettings.MinErrorText
- DateRangeSettings.RangeErrorText
- DropDownButton.Text
- HelpText
- Text used for individual buttons
- TimeSectionProperties.CancelButtonText
- TimeSectionProperties.OkButtonText
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
The ASPxDateEdit control does not encode the SettingsAdaptivity.ModalDropDownCaption property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#DataView
Use the ASPxDataView control’s EncodeHtml property to encode pager button captions.
The ASPxDataView control does not encode ShowMoreItemsText and EmptyDataText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#Diagram
Use the ASPxDiagram control’s EncodeHtml property to encode the Title used for individual custom shapes.
#DropDownEdit
Use the ASPxDropDownEdit control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- DropDownButton.Text
- ErrorText
- HelpText
- Text used for individual buttons
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
The ASPxDropDownEdit control does not encode the SettingsAdaptivity.ModalDropDownCaption property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#FilterControl
Use a column‘s PropertiesEdit.EncodeHtml property to encode ASPxFilterControl column cell values.
The ASPxFilterControl control does not encode the following property values:
- DisplayName used for individual columns
- PropertiesEdit.NullDisplayText used for individual columns
- SettingsLoadingPanel.Text
The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#FormLayout
Use the ASPxFormLayout control’s EncodeHtml property to encode the Caption associated with individual items.
#Gantt
The ASPxGantt control does not encode the Caption of individual columns within the Task List. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#GridView
Use the ASPxGridView control’s PreviewEncodeHtml property to encode text strings displayed in preview rows. Use the SettingsBehavior.EncodeErrorHtml property to encode control-related error text.
Use a data column’s PropertiesEdit.EncodeHtml property to encode column cell values. Enable the SettingsCommandButton.EncodeHtml property to encode text strings displayed within command buttons.
The ASPxGridView control does not encode the Caption of individual columns and custom header filter item values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#Headline
Use the ASPxHeadline control’s EncodeHtml property to encode the following property values:
The ASPxHeadline control does not encode the TailText property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#Hint
Use the ASPxHint control’s EncodeHtml property to encode the following property values:
#HtmlEditor
Use the ASPxHtmlEditor control’s EncodeHtml property to encode the following property values:
- Text used for individual context menu items
- SettingsValidation.ErrorText
- SettingsValidation.RequiredField.ErrorText
The ASPxHtmlEditor control does not encode Text and Value property values for individual toolbar custom items. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#HyperLink
Use the ASPxHyperLink control’s EncodeHtml property to encode the Text property value.
#ImageGallery
Use the ASPxImageGallery control’s EncodeHtml property to encode the following property values:
- FullscreenViewerText of individual items
- Text used for individual items
The ASPxImageGallery control does not encode EmptyDataText and PagerSettings.ShowMoreItemsText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#ImageSlider
Use the ASPxImageSlider control’s EncodeHtml property to encode Text associated with individual items.
#Label
Use the ASPxLabel control’s EncodeHtml property to encode Text and Value property values.
#ListBox
Use the ASPxListBox control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ErrorText
- Text used for individual items
- Value of individual items
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
The ASPxListBox control does not encode the following property values:
- Caption of individual columns
- SelectAllText
- SettingsLoadingPanel.Text
The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode these values.
#Memo
Use the ASPxMemo control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ErrorText
- HelpText
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#Menu
Use the ASPxMenu control’s EncodeHtml property to encode Text associated with individual items.
#NavBar
Use the ASPxNavBar control’s EncodeHtml property to encode the following property values:
- Text used for individual groups
- Text used for individual group items
#NewsControl
Use the ASPxNewsControl‘s EncodeHtml property to encode the following property values:
- Text used for individual items
- HeaderText used for individual items
- ASPxPager button captions
The ASPxNewsControl does not encode ItemSettings.TailText and EmptyDataText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#Pager
Use the ASPxPager control’s EncodeHtml property to encode the following property values:
The ASPxPager control does not encode the PageSizeItemSettings.Caption property value. The control renders values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#PageControl
Use the ASPxPageControl‘s EncodeHtml property to encode Text associated with individual tab pages.
#PivotGrid
Use the ASPxPivotGrid control’s EncodeHtml property to encode the following property values:
#PopupControl
Use the ASPxPopupControl‘s EncodeHtml property to encode the following property values:
#PopupMenu
Use the ASPxPopupMenu control’s EncodeHtml property to encode Text for individual items.
#RadioButton
Use the ASPxRadioButton control’s EncodeHtml property to encode the following property values:
- ErrorText
- Text
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#RadioButtonList
Use the ASPxRadioButtonList control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ErrorText
- Text used for individual items
- Value of individual items
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#Ribbon
Use the ASPxRibbon control’s EncodeHtml property to encode the following property values:
- Text used for individual tabs
- Text used for individual tab groups
- Text used for individual group items
#RichEdit
Use the ASPxRichEdit control’s EncodeHtml property to encode ribbon and popup control elements.
#RoundPanel
The ASPxRoundPanel control’s EncodeHtml property is not in effect when the View property value is set to Standard
. If this property value is set to GroupBox
, the control’s EncodeHtml property specifies whether to encode the HeaderText property value.
#SpinEdit
Use the ASPxSpinEdit control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- ErrorText
- HelpText
- Value
- Text of individual buttons
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#Spreadsheet
Use the ASPxSpreadsheet control’s EncodeHtml property to encode ribbon and popup control elements.
#TabControl
Use the ASPxTabControl‘s EncodeHtml property to encode Text associated with individual tabs.
#TextBox
Use the ASPxTextBox control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ErrorText
- HelpText
- MaskSettings.ErrorText
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#TimeEdit
Use the ASPxTimeEdit control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ClearButton.Text
- ErrorText
- HelpText
- Text used for individual buttons
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#TitleIndex
Use the ASPxTitleIndex control’s EncodeHtml property to encode Text used for individual items.
The ASPxTitleIndex control does not encode the following property values:
The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#TokenBox
Use the ASPxTokenBox control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ErrorText
- HelpText
- Tokens
- Text used for individual items
- Value of individual items
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
The ASPxTokenBox control does not encode the SettingsLoadingPanel.Text property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#TrackBar
Use the ASPxTrackBar control’s EncodeHtml property to encode the following property values:
- Caption
- CaptionSettings.OptionalMark
- CaptionSettings.RequiredMark
- ErrorText
- Text used for individual items
- Tooltip used for individual items
- ValidationSettings.ErrorText
- ValidationSettings.RegularExpression.ErrorText
- ValidationSettings.RequiredField.ErrorText
#TreeList
Use the ASPxTreeList control’s PreviewEncodeHtml property to encode text strings displayed within preview rows. Use the SettingsBehavior.EncodeErrorHtml property to encode control-related error text.
To encode column cell values, set a column‘s PropertiesEdit.EncodeHtml property to true
.
The ASPxTreeList control does not encode custom header filter item values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.
#TreeView
Use the ASPxTreeView control’s EncodeHtml property to encode Text used for individual nodes.
#UploadControl
Use the ASPxUploadControl‘s EncodeHtml property to encode the following property values:
#ValidationSummary
Use the ASPxValidationSummary control’s EncodeHtml property to encode HeaderText property values.
The control summarizes validation errors from multiple editors and displays them in a single block. Set an editor’s EncodeHtml
property to true
to encode the editor’s error text in the ASPxValidationSummary.
#VerticalGrid
Use the ASPxVerticalGrid control’s SettingsBehavior.EncodeErrorHtml property to encode error text. Use a row‘s PropertiesEdit.EncodeHtml property to encode row cell values.
To encode text strings displayed within command buttons, set the SettingsCommandButton.EncodeHtml property to true
.
The ASPxVerticalGrid control does not encode custom header filter item values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.