Skip to main content

HTML Encoding

  • 12 minutes to read

Web browsers can interpret data with reserved characters as HTML markup and execute it as code. Improper handling of reserved characters/untrusted values can introduce numerous security risks (such as CWE-80 and CWE-20). Always encode data to protect your application from cross-site scripting (XSS) attacks.

The following methods allow you to manually encode untrusted values:

HtmlAttributeEncode
Call this method to encode a value before you assign it to an HTML attribute.
HtmlEncode
Call this method to encode a value before you insert it in HTML output.
JavaScriptStringEncode
Call this method to encode a value before you use it in a script.
UrlEncode
Call this method to encode a value before you use it to generate a URL.

DevExpress ASP.NET Web Forms controls include built-in mechanisms to encode executable content. This topic describes our encoding logic and documents best practices designed to reduce XSS-related security risks.

#Encode Page Title

Encode database values or user input before you assign it to a page title:

protected void Page_Load(object sender, EventArgs e) {
    var ds = SqlDataSource1.Select(new System.Web.UI.DataSourceSelectArguments()) as DataView;
    var value = ds[0]["ProductName"];
    Title = "Product: " + HttpUtility.HtmlEncode(value).ToString();
}

#Encode Callback Data

To prevent possible script injections, encode callback data sent from the server to the client. The following example encodes values that the ASPxCallback control sends on callbacks:

<dx:ASPxCallback runat="server" ID="CallbackControl" OnCallback="Callback_Callback" ClientInstanceName="callbackControl">
    <ClientSideEvents CallbackComplete="function(s, e) {
        document.getElementById('namePlaceholder').innerHTML = e.result;
            if(callbackControl.cpSomeInfo)
                document.getElementById('someInfo').innerHTML = callbackControl.cpSomeInfo;
        }" />
</dx:ASPxCallback>
protected void Callback_Callback(object source, DevExpress.Web.CallbackEventArgs e) {
    e.Result = HttpUtility.HtmlEncode("an untrusted value");
    CallbackControl.JSProperties["cpSomeInfo"] = HttpUtility.HtmlEncode("an untrusted value");
}

Ensure that values do not include dangerous content (such as JavaScript code) before you assign the value to a hyperlink’s href attribute.

DevExpress Grid-like controls remove potentially dangerous content from hyperlink columns. You should not override this behavior. Do not set a column’s RemovePotentiallyDangerousNavigateUrl to False because it can introduce security-related issues.

<dx:ASPxGridView ID="grid" runat="server" DataSourceID="CustomersDataSource" KeyFieldName="CustomerID">
    <Columns>
        <dx:GridViewDataColumn FieldName="ContactName" />
        <dx:GridViewDataColumn FieldName="CompanyName" />
        <dx:GridViewDataColumn FieldName="City" />
        <dx:GridViewDataColumn FieldName="Region" />
        <dx:GridViewDataColumn FieldName="Country" />
        <dx:GridViewDataHyperLinkColumn FieldName="CompanySite">
            <PropertiesHyperLinkEdit RemovePotentiallyDangerousNavigateUrl="True" />
        </dx:GridViewDataHyperLinkColumn>
    </Columns>
</dx:ASPxGridView>

#Encode Contents of DevExpress Controls

When the EncodeHtml property is enabled, DevExpress Web Forms controls encode data loaded from a data source. Our Web Forms controls use the HttpUtility.HtmlEncode method to replace reserved characters (for example, < and >) with character entity references (&lt; and &gt;).

DevExpress Web Forms controls do not encode the following:

  • Data that cannot be edited by users (for instance, column captions and custom header filter items)
  • Content specified in templates
  • Element content and values specified on the client

Always call the HttpUtility.HtmlEncode method to encode values with HTML markup:

<dx:ASPxComboBox ID="ComboBoxID" DataSourceID="ContactsDataSource" TextField="Name" runat="server">
    <ItemTemplate>
        <div>
            <%# System.Web.HttpUtility.HtmlEncode(Eval("Name")) %><br />
            <%# System.Web.HttpUtility.HtmlEncode(Eval("Phone")) %>
        </div>
    </ItemTemplate>
</dx:ASPxComboBox>
protected void Page_Load(object sender, EventArgs e) {
    String caption = // A value from an untrusted source
    ComboBoxID.SettingsAdaptivity.ModalDropDownCaption = System.Web.HttpUtility.HtmlEncode(caption);
}

Refer to the following sections to learn how DevExpress ASP.NET Web Forms controls encode HTML.

#BinaryImage

Use the ASPxBinaryImage control’s EncodeHtml property to encode the following property values:

The ASPxBinaryImage control does not encode the EditingSettings.DropZoneText property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#Button

Use the ASPxButton control’s EncodeHtml property to encode the Text property value.

#ButtonEdit

Use the ASPxButtonEdit control’s EncodeHtml property to encode the following property values:

#Calendar

Use the ASPxCalendar control’s EncodeHtml property to encode the following property values:

#Captcha

Use the ASPxCaptcha control’s EncodeHtml property to encode the following property values:

The ASPxCaptcha control does not encode the LoadingPanel.Text property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#CardView

Use the ASPxCardView control’s SettingsBehavior.EncodeErrorHtml property to encode error text. A column‘s PropertiesEdit.EncodeHtml property specifies whether to encode column cell values.

To encode text strings displayed within command buttons, set the SettingsCommandButton.EncodeHtml property to true.

The ASPxCardView control does not encode custom header filter item values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#CheckBox

Use the ASPxCheckBox control’s EncodeHtml property to encode the following property values:

#CheckBoxList

Use the ASPxCheckBoxList control’s EncodeHtml property to encode the following property values:

#CloudControl

Use the ASPxCloudControl‘s EncodeHtml property to encode Text associated with individual items.

The ASPxCloudControl does not encode ItemBeginText and ItemEndText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#ColorEdit

Use the ASPxColorEdit control’s EncodeHtml property to encode the following property values:

#ComboBox

Use the ASPxComboBox control’s EncodeHtml property to encode the following property values:

The ASPxComboBox control does not encode the following property values:

The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#DateEdit

Use the ASPxDateEdit control’s EncodeHtml property to encode the following property values:

The ASPxDateEdit control does not encode the SettingsAdaptivity.ModalDropDownCaption property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#DataView

Use the ASPxDataView control’s EncodeHtml property to encode pager button captions.

The ASPxDataView control does not encode ShowMoreItemsText and EmptyDataText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#Diagram

Use the ASPxDiagram control’s EncodeHtml property to encode the Title used for individual custom shapes.

Use the ASPxDropDownEdit control’s EncodeHtml property to encode the following property values:

The ASPxDropDownEdit control does not encode the SettingsAdaptivity.ModalDropDownCaption property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#FilterControl

Use a column‘s PropertiesEdit.EncodeHtml property to encode ASPxFilterControl column cell values.

The ASPxFilterControl control does not encode the following property values:

The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#FormLayout

Use the ASPxFormLayout control’s EncodeHtml property to encode the Caption associated with individual items.

#Gantt

The ASPxGantt control does not encode the Caption of individual columns within the Task List. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#GridView

Use the ASPxGridView control’s PreviewEncodeHtml property to encode text strings displayed in preview rows. Use the SettingsBehavior.EncodeErrorHtml property to encode control-related error text.

Use a data column’s PropertiesEdit.EncodeHtml property to encode column cell values. Enable the SettingsCommandButton.EncodeHtml property to encode text strings displayed within command buttons.

The ASPxGridView control does not encode the Caption of individual columns and custom header filter item values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#Headline

Use the ASPxHeadline control’s EncodeHtml property to encode the following property values:

The ASPxHeadline control does not encode the TailText property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#Hint

Use the ASPxHint control’s EncodeHtml property to encode the following property values:

#HtmlEditor

Use the ASPxHtmlEditor control’s EncodeHtml property to encode the following property values:

The ASPxHtmlEditor control does not encode Text and Value property values for individual toolbar custom items. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

Use the ASPxHyperLink control’s EncodeHtml property to encode the Text property value.

#ImageGallery

Use the ASPxImageGallery control’s EncodeHtml property to encode the following property values:

The ASPxImageGallery control does not encode EmptyDataText and PagerSettings.ShowMoreItemsText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#ImageSlider

Use the ASPxImageSlider control’s EncodeHtml property to encode Text associated with individual items.

#Label

Use the ASPxLabel control’s EncodeHtml property to encode Text and Value property values.

#ListBox

Use the ASPxListBox control’s EncodeHtml property to encode the following property values:

The ASPxListBox control does not encode the following property values:

The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode these values.

#Memo

Use the ASPxMemo control’s EncodeHtml property to encode the following property values:

Use the ASPxMenu control’s EncodeHtml property to encode Text associated with individual items.

Use the ASPxNavBar control’s EncodeHtml property to encode the following property values:

#NewsControl

Use the ASPxNewsControl‘s EncodeHtml property to encode the following property values:

The ASPxNewsControl does not encode ItemSettings.TailText and EmptyDataText property values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#Pager

Use the ASPxPager control’s EncodeHtml property to encode the following property values:

The ASPxPager control does not encode the PageSizeItemSettings.Caption property value. The control renders values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#PageControl

Use the ASPxPageControl‘s EncodeHtml property to encode Text associated with individual tab pages.

#PivotGrid

Use the ASPxPivotGrid control’s EncodeHtml property to encode the following property values:

#PopupControl

Use the ASPxPopupControl‘s EncodeHtml property to encode the following property values:

#PopupMenu

Use the ASPxPopupMenu control’s EncodeHtml property to encode Text for individual items.

#RadioButton

Use the ASPxRadioButton control’s EncodeHtml property to encode the following property values:

#RadioButtonList

Use the ASPxRadioButtonList control’s EncodeHtml property to encode the following property values:

#Ribbon

Use the ASPxRibbon control’s EncodeHtml property to encode the following property values:

#RichEdit

Use the ASPxRichEdit control’s EncodeHtml property to encode ribbon and popup control elements.

#RoundPanel

The ASPxRoundPanel control’s EncodeHtml property is not in effect when the View property value is set to Standard. If this property value is set to GroupBox, the control’s EncodeHtml property specifies whether to encode the HeaderText property value.

#SpinEdit

Use the ASPxSpinEdit control’s EncodeHtml property to encode the following property values:

#Spreadsheet

Use the ASPxSpreadsheet control’s EncodeHtml property to encode ribbon and popup control elements.

#TabControl

Use the ASPxTabControl‘s EncodeHtml property to encode Text associated with individual tabs.

#TextBox

Use the ASPxTextBox control’s EncodeHtml property to encode the following property values:

#TimeEdit

Use the ASPxTimeEdit control’s EncodeHtml property to encode the following property values:

#TitleIndex

Use the ASPxTitleIndex control’s EncodeHtml property to encode Text used for individual items.

The ASPxTitleIndex control does not encode the following property values:

The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#TokenBox

Use the ASPxTokenBox control’s EncodeHtml property to encode the following property values:

The ASPxTokenBox control does not encode the SettingsLoadingPanel.Text property value. The control renders this value as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#TrackBar

Use the ASPxTrackBar control’s EncodeHtml property to encode the following property values:

#TreeList

Use the ASPxTreeList control’s PreviewEncodeHtml property to encode text strings displayed within preview rows. Use the SettingsBehavior.EncodeErrorHtml property to encode control-related error text.

To encode column cell values, set a column‘s PropertiesEdit.EncodeHtml property to true.

The ASPxTreeList control does not encode custom header filter item values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.

#TreeView

Use the ASPxTreeView control’s EncodeHtml property to encode Text used for individual nodes.

#UploadControl

Use the ASPxUploadControl‘s EncodeHtml property to encode the following property values:

#ValidationSummary

Use the ASPxValidationSummary control’s EncodeHtml property to encode HeaderText property values.

The control summarizes validation errors from multiple editors and displays them in a single block. Set an editor’s EncodeHtml property to true to encode the editor’s error text in the ASPxValidationSummary.

#VerticalGrid

Use the ASPxVerticalGrid control’s SettingsBehavior.EncodeErrorHtml property to encode error text. Use a row‘s PropertiesEdit.EncodeHtml property to encode row cell values.

To encode text strings displayed within command buttons, set the SettingsCommandButton.EncodeHtml property to true.

The ASPxVerticalGrid control does not encode custom header filter item values. The control renders these values as HTML markup. Call the HttpUtility.HtmlEncode method to encode values.