Skip to main content
Tab

ASPxListBox.DataSecurityMode Property

Provides the capability to restrict setting the editor value on the client side to values listed in the server ASPxListEdit.Items.

Namespace: DevExpress.Web

Assembly: DevExpress.Web.v24.2.dll

Declaration

[DefaultValue(DataSecurityMode.Default)]
public DataSecurityMode DataSecurityMode { get; set; }

Property Value

Type Default Description
DataSecurityMode Default

One of the DataSecurityMode enumeration values.

Available values:

Name Description
Default

The data editor allows users to enter and select custom items.

Strict

The data editor does not allow users to enter and select custom items.

Remarks

By default, the DataSecurityMode property is set to the Default value. This means that a list editor allows adding new list items via client code and synchronizes modifications to this item list with the server ASPxListEdit.Items collection if the ASPxListBox.EnableSynchronization property is enabled. A list editor’s server value can be modified by an end-user by either selecting list items added via client code or by entering new values directly into an editor’s edit box. In this scenario, it is recommended to HTML encode the list item’s content using the following:

  • enable the ASPxListBox.EncodeHtml property if items aren’t created using templates.
  • encode HTML using the HttpUtility.HtmlEncode method if the list items are created using templates (ASPxListBox.ItemTemplate).

    <dx:ASPxListBox ID="lb1" runat="server">
        <ItemTemplate>
            <asp:Label ID="Label1" runat="server" Text='<%# HttpUtility.HtmlEncode(Eval("Text")) %>'></asp:Label>
        </ItemTemplate>
    </dx:ASPxListBox>
    

You can set the DataSecurityMode property to Strict to prevent setting a list editor’s value to any value except values listed within the editor’s server-side ASPxListEdit.Items collection. This helps you secure your data against any potential threat of malicious data modifications initiated in the client browser.

See Also