HTML Encoding

Jul 09, 2021
6 minutes to read

To protect a website from cross-site scripting (XSS) attacks, HTML markup should be encoded (certain characters are converted to an alternate format). This conversion prevents the use of unsafe tags in HTML markup such as <script> or <img> (for example, <img onload=…>).

Use the SettingsBase.EncodeHtml property to encode a DevExpress MVC extension’s value and element content. If the extension’s SettingsBase.EncodeHtml property is set to true, the value and element content that contain HTML code are parsed. An HTML tag’s angle bracket (the < and >characters) are converted to specific symbols (&lt; and &gt;) when the extension renders its value and elements to the page. The result is that HTML code is displayed on the page as text. Note that the SettingsBase.EncodeHtml property does not encode an extension’s value and elements specified on the client side.

GridViewExtension, CardViewExtension, VerticalGridExtension, TreeListExtension and FilterControlExtension extensions do not have an EncodeHtml property. Use the following properties to encode data in these extensions:

A column’s EncodeHtml property encodes data column field values.
The EncodeErrorHtml property specifies whether a grid renders error text as HTML or as text (i.e., it removes HTML tags).

DevExpress ASP.NET MVC Extension	Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect	Notes
DataViewExtension	Pager buttons texts	The SettingsBase.EncodeHtml property is not in effect for the DataViewExtension’s item content. Since item content is defined using templates, use the HttpUtility.HtmlEncode method to encode the template’s HTML. The SettingsBase.EncodeHtml property is not in effect for the DataViewSettings.PagerSettings.ShowMoreItemsText and DataViewSettings.EmptyDataText properties. Property values are not HTML encoded and are rendered as pure HTML markup.
ImageGalleryExtension	Items[i].Text (MVCxImageGalleryItem.Text) Items[i].FullScreenViewerText (MVCxImageGalleryItem.FullscreenViewerText)	The SettingsBase.EncodeHtml property is not in effect for the ImageGallerySettings.EmptyDataText and ImageGallerySettings.PagerSettings.ShowMoreItemsText properties. Property values are not HTML encoded and are rendered as pure HTML markup.
ImageSliderExtension	Items[i].Text (MVCxImageSliderItem.Text)

DevExpress ASP.NET MVC Extension

Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect

Notes

DataViewExtension

Pager buttons texts

The SettingsBase.EncodeHtml property is not in effect for the DataViewExtension’s item content. Since item content is defined using templates, use the HttpUtility.HtmlEncode method to encode the template’s HTML.

The SettingsBase.EncodeHtml property is not in effect for the DataViewSettings.PagerSettings.ShowMoreItemsText and DataViewSettings.EmptyDataText properties. Property values are not HTML encoded and are rendered as pure HTML markup.

ImageGalleryExtension

Items[i].Text (MVCxImageGalleryItem.Text)

Items[i].FullScreenViewerText (MVCxImageGalleryItem.FullscreenViewerText)

The SettingsBase.EncodeHtml property is not in effect for the ImageGallerySettings.EmptyDataText and ImageGallerySettings.PagerSettings.ShowMoreItemsText properties. Property values are not HTML encoded and are rendered as pure HTML markup.

ImageSliderExtension

Items[i].Text (MVCxImageSliderItem.Text)

DevExpress ASP.NET MVC Extension	Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect	Notes
HintExtension	HintSettings.Content HintSettings.Title	The SettingsBase.EncodeHtml property is not in effect for hint content specified on the client side.
PopupControlExtension	PopupControlSettings.HeaderText PopupControlSettings.FooterText PopupControlSettings.Text

DevExpress ASP.NET MVC Extension

Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect

Notes

HintExtension

HintSettings.Content

HintSettings.Title

The SettingsBase.EncodeHtml property is not in effect for hint content specified on the client side.

PopupControlExtension

PopupControlSettings.HeaderText

PopupControlSettings.FooterText

PopupControlSettings.Text

DevExpress ASP.NET MVC Extension	Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect
FormLayoutExtension<ModelType>	Items[i].Caption (MVCxFormLayoutItem.Caption)
MenuExtension	Items[i].Text (MVCxMenuItem.Text)
NavBarExtension	Groups[i].Text (MVCxNavBarGroup.Text) Groups[i].Items[i].Text (MVCxNavBarItem.Text)
PageControlExtension	TabPages[i].Text (MVCxTabPage.Text)
PopupMenuExtension	Items[i].Text (MVCxMenuItem.Text)
RibbonExtension	Tabs[i].Text (MVCxRibbonTab.Text) Tabs[i].Groups[i].Text (MVCxRibbonGroup.Text) Tabs[i].Groups[i].Items[i].Text (MVCxRibbonTab.Text)
TabControlExtension	Tabs[i].Text (MVCxTab.Text)
TreeViewExtension	Nodes[i].Text (MVCxTreeViewNode.Text)

Multi-Use Site Extensions

DevExpress ASP.NET MVC Extension	Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect	Notes
RoundPanelExtension		The SettingsBase.EncodeHtml property is not in effect for the RoundPanelSettings.HeaderText property. This property value is not HTML encoded and is rendered as pure HTML markup.

Data Editors

DevExpress ASP.NET MVC Extension	Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect	Notes
BinaryImageEditExtension	BinaryImageEditSettings.Properties.Caption BinaryImageEditSettings.Properties.CaptionSettings.RequiredMark BinaryImageEditSettings.Properties.CaptionSettings.OptionalMark)
ButtonExtension	ButtonSettings.Text
ButtonEditExtension	ButtonEditSettings.Properties.Caption ButtonEditSettings.Properties.HelpText Buttons[i].Text (EditButton.Text)	If the SettingsBase.EncodeHtml property is set to false, the button edit editor’s value (ButtonEditSettings.Text) and null text (ButtonEditSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes.
CalendarExtension	CalendarSettings.Properties.ClearButtonText CalendarSettings.Properties.TodayButtonText CalendarFastNavProperties.CancelButtonText CalendarFastNavProperties.OkButtonText
CaptchaExtension	CaptchaSettings.ValidationSettings.ErrorText CaptchaSettings.ValidationSettings.RequiredField.ErrorText) CaptchaSettings.RefreshButton.Text CaptchaSettings.TextBox.LabelText	If the SettingsBase.EncodeHtml property value is false, the extension’s null text (CaptchaSettings.TextBox.NullText) is not executed. It is converted into text for display purposes.
CheckBoxExtension	CheckBoxSettings.Text
CheckBoxListExtension	Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value)
ColorEditExtension	buttons[i].Text (EditButton.Text) ColorEditSettings.Properties.Caption ColorEditSettings.Properties.HelpText DropDownButton.Text (EditButton.Text) ClearButtonText.Text (EditButton.Text)	If the SettingsBase.EncodeHtml property is set to false, the color editor’s null text (ColorEditSettings.Properties.NullText) and OK/Cancel buttons (ColorEditSettings.Properties.CancelButtonText/ColorEditSettings.Properties.OkButtonText) are not executed and are converted into corresponding text for display purposes.
ComboBoxExtension	Items[i].Text (ListEditItem.Text) Buttons[i].Text (EditButton.Text) ComboBoxSettings.Properties.HelpText DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)	If the SettingsBase.EncodeHtml property is set to false, the editor’s null text (ComboBoxSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes. To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the SettingsBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content.
DateEditExtension	DateEditSettings.Properties.Caption DateEditSettings.Properties.HelpText Buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) DateEditSettings.CalendarProperties.ClearButtonText DateEditSettings.CalendarProperties.TodayButtonText DateEditSettings.TimeSectionProperties.OkButtonText DateEditSettings.TimeSectionProperties.CancelButtonText DateEditSettings.CalendarProperties.FastNavProperties.OkButtonText	If the SettingsBase.EncodeHtml property is set to false, the editor’s null text (DateEditSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes.
DropDownEditExtension	DropDownEditSettings.Properties.Caption DropDownEditSettings.Properties.HelpText Buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)	If the SettingsBase.EncodeHtml property is set to false, the editor’s value (DropDownEditSettings.Text) and null text (DropDownEditSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes.
HyperLinkExtension	HyperLinkSettings.Properties.Text
LabelExtension	LabelSettings.Text
ListBoxExtension	Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) ListBoxSettings.Properties.Caption CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)	To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the SettingsBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content.
MemoExtension	MemoSettings.Caption MemoSettings.HelpText CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)	If the SettingsBase.EncodeHtml property is set to false, the editor’s value (MemoSettings.Text) and null text (MemoSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes.
RadioButtonExtension	RadioButtonSettings.Text
RadioButtonListExtension	Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)
SpinEditExtension	SpinEditSettings.Properties.Caption SpinEditSettings.Properties.HelpText Buttons[i].Text (EditButton.Text) ClearButton.Text (EditButton.Text) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)	If the SettingsBase.EncodeHtml property is set to false, the editor’s null text (SpinEditSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes.
TextBoxExtension	TextBoxSettings.Properties.Caption TextBoxProperties.Properties.HelpText	If the SettingsBase.EncodeHtml property is set to false, the text box editor’s value (TextBoxSettings.Text) and null text (TextBoxSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes.
TimeEditExtension	TimeEditSettings.Properties.Caption TimeEditSettings.Properties.HelpText Buttons[i].Text (EditButton.Text) ClearButton.Text (EditButton.Text) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)	If the SettingsBase.EncodeHtml property is set to false, the editor’s null text (TimeEditSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes.
TokenBoxExtension	TokenBoxSettings.Properties.Tokens ListEditItem.Text ListEditItem.Value TokenBoxSettings.Properties.Caption TokenBoxSettings.Properties.HelpText	If the SettingsBase.EncodeHtml property is set to false, the editor’s null text (TokenBoxSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes. To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the SettingsBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content.
TrackBarExtension	Item and tooltip texts.
ValidationSummaryExtension	ValidationSummarySettings.HeaderText	To encode error text within ASPxValidationSummary, set the corresponding editor’s EncodeHtml property to true.

Data & Analytics

DevExpress ASP.NET MVC Extension	Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect	Notes
ASPxHtmlEditor	ContextMenuItems[i].Text (HtmlEditorContextMenuItem.Text)	The SettingsBase.EncodeHtml is not in effect for ToolbarItemPickerItem.Text and ToolbarItemPickerItem.Value.
ASPxRichEdit	Elements of the ribbon and popup control.
ASPxSpreadsheet	Elements of the ribbon and popup control.	The component’s content is not encoded.

Controls

Tools

Controls and Extensions

Tools

Maintenance Mode

Controls

Tools

Controls and Extensions

Tools

Maintenance Mode

Data and Image Navigation

Site Navigation and Layout

Multi-Use Site Extensions

Data Editors

Data & Analytics

HTML Encoding

Data and Image Navigation

Docking and Popup

Site Navigation and Layout

Multi-Use Site Extensions

Data Editors

Data & Analytics