HTML Encoding

  • 6 minutes to read

To protect a website from cross-site scripting (XSS) attacks, HTML markup should be encoded (certain characters are converted to an alternate format). This conversion prevents the use of unsafe tags in HTML markup such as <script> or <img> (for example, <img onload=...>).

Use the SettingsBase.EncodeHtml property to encode a DevExpress MVC extension's value and element content. If the extension's SettingsBase.EncodeHtml property is set to true, the value and element content that contain HTML code are parsed. An HTML tag's angle bracket (the < and >characters) are converted to specific symbols (&lt; and &gt;) when the extension renders its value and elements to the page. The result is that HTML code is displayed on the page as text. Note that the SettingsBase.EncodeHtml property does not encode an extension's value and elements specified on the client side.

GridViewExtension, CardViewExtension, VerticalGridExtension, TreeListExtension and FilterControlExtension extensions do not have an EncodeHtml property. Use the following properties to encode data in these extensions:

  • A column's EncodeHtml property encodes data column field values.

  • The EncodeErrorHtml property specifies whether a grid renders error text as HTML or as text (i.e., it removes HTML tags).

Data and Image Navigation

DevExpress ASP.NET MVC Extension

Extension's element(s) for which the SettingsBase.EncodeHtml property is in effect

Notes

DataViewExtension

Pager buttons texts

The SettingsBase.EncodeHtml property is not in effect for the DataViewExtension's item content. Since item content is defined using templates, use the HttpUtility.HtmlEncode method to encode the template's HTML.

The SettingsBase.EncodeHtml property is not in effect for the DataViewSettings.PagerSettings.ShowMoreItemsText and DataViewSettings.EmptyDataText properties. Property values are not HTML encoded and are rendered as pure HTML markup.

ImageGalleryExtension

Items[i].Text (MVCxImageGalleryItem.Text)

Items[i].FullScreenViewerText (MVCxImageGalleryItem.FullscreenViewerText)

The SettingsBase.EncodeHtml property is not in effect for the ImageGallerySettings.EmptyDataText and ImageGallerySettings.PagerSettings.ShowMoreItemsText properties. Property values are not HTML encoded and are rendered as pure HTML markup.

ImageSliderExtension

Items[i].Text (MVCxImageSliderItem.Text)

Docking and Popup

DevExpress ASP.NET MVC Extension

Extension's element(s) for which the SettingsBase.EncodeHtml property is in effect

Notes

HintExtension

HintSettings.Content

HintSettings.Title

The SettingsBase.EncodeHtml property is not in effect for hint content specified on the client side.

PopupControlExtension

PopupControlSettings.HeaderText

PopupControlSettings.FooterText

PopupControlSettings.Text

DevExpress ASP.NET MVC Extension

Extension's element(s) for which the SettingsBase.EncodeHtml property is in effect

FormLayoutExtension<ModelType>

Items[i].Caption (MVCxFormLayoutItem.Caption)

MenuExtension

Items[i].Text (MVCxMenuItem.Text)

NavBarExtension

Groups[i].Text (MVCxNavBarGroup.Text)

Groups[i].Items[i].Text (MVCxNavBarItem.Text)

PageControlExtension

TabPages[i].Text (MVCxTabPage.Text)

PopupMenuExtension

Items[i].Text (MVCxMenuItem.Text)

RibbonExtension

Tabs[i].Text (MVCxRibbonTab.Text)

Tabs[i].Groups[i].Text (MVCxRibbonGroup.Text)

Tabs[i].Groups[i].Items[i].Text (MVCxRibbonTab.Text)

TabControlExtension

Tabs[i].Text (MVCxTab.Text)

TreeViewExtension

Nodes[i].Text (MVCxTreeViewNode.Text)

Multi-Use Site Extensions

DevExpress ASP.NET MVC Extension

Extension's element(s) for which the SettingsBase.EncodeHtml property is in effect

Notes

RoundPanelExtension

The SettingsBase.EncodeHtml property is not in effect for the RoundPanelSettings.HeaderText property. This property value is not HTML encoded and is rendered as pure HTML markup.

Data Editors

DevExpress ASP.NET MVC Extension

Extension's element(s) for which the SettingsBase.EncodeHtml property is in effect

Notes

BinaryImageEditExtension

BinaryImageEditSettings.Properties.Caption

BinaryImageEditSettings.Properties.CaptionSettings.RequiredMark

BinaryImageEditSettings.Properties.CaptionSettings.OptionalMark)

ButtonExtension

ButtonSettings.Text

ButtonEditExtension

ButtonEditSettings.Properties.Caption

ButtonEditSettings.Properties.HelpText

Buttons[i].Text (EditButton.Text)

If the SettingsBase.EncodeHtml property is set to false, the button edit editor's value (ButtonEditSettings.Text) and null text (ButtonEditSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes.

CalendarExtension

CalendarSettings.Properties.ClearButtonText

CalendarSettings.Properties.TodayButtonText

CalendarFastNavProperties.CancelButtonText

CalendarFastNavProperties.OkButtonText

CaptchaExtension

CaptchaSettings.ValidationSettings.ErrorText

CaptchaSettings.ValidationSettings.RequiredField.ErrorText)

CaptchaSettings.RefreshButton.Text

CaptchaSettings.TextBox.LabelText

If the SettingsBase.EncodeHtml property value is false, the extension's null text (CaptchaSettings.TextBox.NullText) is not executed. It is converted into text for display purposes.

CheckBoxExtension

CheckBoxSettings.Text

CheckBoxListExtension

Items[i].Text (ListEditItem.Text)

Items[i].Value (ListEditItem.Value)

ColorEditExtension

buttons[i].Text (EditButton.Text)

ColorEditSettings.Properties.Caption

ColorEditSettings.Properties.HelpText

DropDownButton.Text (EditButton.Text)

ClearButtonText.Text (EditButton.Text)

If the SettingsBase.EncodeHtml property is set to false, the color editor's null text (ColorEditSettings.Properties.NullText) and OK/Cancel buttons (ColorEditSettings.Properties.CancelButtonText/ColorEditSettings.Properties.OkButtonText) are not executed and are converted into corresponding text for display purposes.

ComboBoxExtension

Items[i].Text (ListEditItem.Text)

Buttons[i].Text (EditButton.Text)

ComboBoxSettings.Properties.HelpText

DropDownButton.Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the SettingsBase.EncodeHtml property is set to false, the editor's null text (ComboBoxSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes.

To improve security, use the editor's Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the SettingsBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content.

DateEditExtension

DateEditSettings.Properties.Caption

DateEditSettings.Properties.HelpText

Buttons[i].Text (EditButton.Text)

DropDownButton.Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

DateEditSettings.CalendarProperties.ClearButtonText

DateEditSettings.CalendarProperties.TodayButtonText

DateEditSettings.TimeSectionProperties.OkButtonText

DateEditSettings.TimeSectionProperties.CancelButtonText

DateEditSettings.CalendarProperties.FastNavProperties.OkButtonText

If the SettingsBase.EncodeHtml property is set to false, the editor's null text (DateEditSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes.

DropDownEditExtension

DropDownEditSettings.Properties.Caption

DropDownEditSettings.Properties.HelpText

Buttons[i].Text (EditButton.Text)

DropDownButton.Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the SettingsBase.EncodeHtml property is set to false, the editor's value (DropDownEditSettings.Text) and null text (DropDownEditSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes.

HyperLinkExtension

HyperLinkSettings.Properties.Text

LabelExtension

LabelSettings.Text

ListBoxExtension

Items[i].Text (ListEditItem.Text)

Items[i].Value (ListEditItem.Value)

ListBoxSettings.Properties.Caption

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

To improve security, use the editor's Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the SettingsBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content.

MemoExtension

MemoSettings.Caption

MemoSettings.HelpText

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the SettingsBase.EncodeHtml property is set to false, the editor's value (MemoSettings.Text) and null text (MemoSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes.

RadioButtonExtension

RadioButtonSettings.Text

RadioButtonListExtension

Items[i].Text (ListEditItem.Text)

Items[i].Value (ListEditItem.Value)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

SpinEditExtension

SpinEditSettings.Properties.Caption

SpinEditSettings.Properties.HelpText

Buttons[i].Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the SettingsBase.EncodeHtml property is set to false, the editor's null text (SpinEditSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes.

TextBoxExtension

TextBoxSettings.Properties.Caption

TextBoxProperties.Properties.HelpText

If the SettingsBase.EncodeHtml property is set to false, the text box editor's value (TextBoxSettings.Text) and null text (TextBoxSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes.

TimeEditExtension

TimeEditSettings.Properties.Caption

TimeEditSettings.Properties.HelpText

Buttons[i].Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the SettingsBase.EncodeHtml property is set to false, the editor's null text (TimeEditSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes.

TokenBoxExtension

TokenBoxSettings.Properties.Tokens

ListEditItem.Text

ListEditItem.Value

TokenBoxSettings.Properties.Caption

TokenBoxSettings.Properties.HelpText

If the SettingsBase.EncodeHtml property is set to false, the editor's null text (TokenBoxSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes.

To improve security, use the editor's Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the SettingsBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content.

TrackBarExtension

Item and tooltip texts.

ValidationSummaryExtension

ValidationSummarySettings.HeaderText

To encode error text within ASPxValidationSummary, set the corresponding editor's EncodeHtml property to true.

Data & Analytics

DevExpress ASP.NET MVC Extension

Extension's element(s) for which the SettingsBase.EncodeHtml property is in effect

Notes

ASPxHtmlEditor

ContextMenuItems[i].Text (HtmlEditorContextMenuItem.Text)

The SettingsBase.EncodeHtml is not in effect for ToolbarItemPickerItem.Text and ToolbarItemPickerItem.Value.

ASPxRichEdit

Elements of the ribbon and popup control.

ASPxSpreadsheet

Elements of the ribbon and popup control.

The component's content is not encoded.