HTML Encoding
- 6 minutes to read
To protect a website from cross-site scripting (XSS) attacks, HTML markup should be encoded (certain characters are converted to an alternate format). This conversion prevents the use of unsafe tags in HTML markup such as <script> or <img> (for example, <img onload=…>).
Use the SettingsBase.EncodeHtml property to encode a DevExpress MVC extension’s value and element content. If the extension’s SettingsBase.EncodeHtml property is set to true, the value and element content that contain HTML code are parsed. An HTML tag’s angle bracket (the < and >characters) are converted to specific symbols (< and >) when the extension renders its value and elements to the page. The result is that HTML code is displayed on the page as text. Note that the SettingsBase.EncodeHtml property does not encode an extension’s value and elements specified on the client side.
GridViewExtension, CardViewExtension, VerticalGridExtension, TreeListExtension and FilterControlExtension extensions do not have an EncodeHtml property. Use the following properties to encode data in these extensions:
A column’s EncodeHtml property encodes data column field values.
The EncodeErrorHtml property specifies whether a grid renders error text as HTML or as text (i.e., it removes HTML tags).
Data and Image Navigation
DevExpress ASP.NET MVC Extension | Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect | Notes |
---|---|---|
Pager buttons texts | The SettingsBase.EncodeHtml property is not in effect for the DataViewExtension’s item content. Since item content is defined using templates, use the HttpUtility.HtmlEncode method to encode the template’s HTML. The SettingsBase.EncodeHtml property is not in effect for the DataViewSettings.PagerSettings.ShowMoreItemsText and DataViewSettings.EmptyDataText properties. Property values are not HTML encoded and are rendered as pure HTML markup. | |
Items[i].Text (MVCxImageGalleryItem.Text) Items[i].FullScreenViewerText (MVCxImageGalleryItem.FullscreenViewerText) | The SettingsBase.EncodeHtml property is not in effect for the ImageGallerySettings.EmptyDataText and ImageGallerySettings.PagerSettings.ShowMoreItemsText properties. Property values are not HTML encoded and are rendered as pure HTML markup. | |
Items[i].Text (MVCxImageSliderItem.Text) |
Docking and Popup
DevExpress ASP.NET MVC Extension | Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect | Notes |
---|---|---|
The SettingsBase.EncodeHtml property is not in effect for hint content specified on the client side. | ||
PopupControlSettings.HeaderText |
Site Navigation and Layout
DevExpress ASP.NET MVC Extension | Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect |
---|---|
Items[i].Caption (MVCxFormLayoutItem.Caption) | |
Items[i].Text (MVCxMenuItem.Text) | |
Groups[i].Text (MVCxNavBarGroup.Text) Groups[i].Items[i].Text (MVCxNavBarItem.Text) | |
TabPages[i].Text (MVCxTabPage.Text) | |
Items[i].Text (MVCxMenuItem.Text) | |
Tabs[i].Text (MVCxRibbonTab.Text) Tabs[i].Groups[i].Text (MVCxRibbonGroup.Text) Tabs[i].Groups[i].Items[i].Text (MVCxRibbonTab.Text) | |
Tabs[i].Text (MVCxTab.Text) | |
Nodes[i].Text (MVCxTreeViewNode.Text) |
Multi-Use Site Extensions
DevExpress ASP.NET MVC Extension | Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect | Notes |
---|---|---|
The SettingsBase.EncodeHtml property is not in effect for the RoundPanelSettings.HeaderText property. This property value is not HTML encoded and is rendered as pure HTML markup. |
Data Editors
DevExpress ASP.NET MVC Extension | Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect | Notes |
---|---|---|
BinaryImageEditSettings.Properties.Caption BinaryImageEditSettings.Properties.CaptionSettings.RequiredMark BinaryImageEditSettings.Properties.CaptionSettings.OptionalMark) | ||
ButtonEditSettings.Properties.Caption ButtonEditSettings.Properties.HelpText Buttons[i].Text (EditButton.Text) | If the SettingsBase.EncodeHtml property is set to false, the button edit editor’s value (ButtonEditSettings.Text) and null text (ButtonEditSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes. | |
CalendarSettings.Properties.ClearButtonText CalendarSettings.Properties.TodayButtonText | ||
CaptchaSettings.ValidationSettings.ErrorText CaptchaSettings.ValidationSettings.RequiredField.ErrorText) | If the SettingsBase.EncodeHtml property value is false, the extension’s null text (CaptchaSettings.TextBox.NullText) is not executed. It is converted into text for display purposes. | |
Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) | ||
buttons[i].Text (EditButton.Text) ColorEditSettings.Properties.Caption ColorEditSettings.Properties.HelpText DropDownButton.Text (EditButton.Text) ClearButtonText.Text (EditButton.Text) | If the SettingsBase.EncodeHtml property is set to false, the color editor’s null text (ColorEditSettings.Properties.NullText) and OK/Cancel buttons (ColorEditSettings.Properties.CancelButtonText/ColorEditSettings.Properties.OkButtonText) are not executed and are converted into corresponding text for display purposes. | |
Items[i].Text (ListEditItem.Text) Buttons[i].Text (EditButton.Text) ComboBoxSettings.Properties.HelpText DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the SettingsBase.EncodeHtml property is set to false, the editor’s null text (ComboBoxSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes. To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the SettingsBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content. | |
DateEditSettings.Properties.Caption DateEditSettings.Properties.HelpText Buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) DateEditSettings.CalendarProperties.ClearButtonText DateEditSettings.CalendarProperties.TodayButtonText DateEditSettings.TimeSectionProperties.OkButtonText DateEditSettings.TimeSectionProperties.CancelButtonText DateEditSettings.CalendarProperties.FastNavProperties.OkButtonText | If the SettingsBase.EncodeHtml property is set to false, the editor’s null text (DateEditSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes. | |
DropDownEditSettings.Properties.Caption DropDownEditSettings.Properties.HelpText Buttons[i].Text (EditButton.Text) DropDownButton.Text (EditButton.Text) ClearButton.Text (EditButton.Text) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the SettingsBase.EncodeHtml property is set to false, the editor’s value (DropDownEditSettings.Text) and null text (DropDownEditSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes. | |
Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) ListBoxSettings.Properties.Caption CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the SettingsBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content. | |
CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the SettingsBase.EncodeHtml property is set to false, the editor’s value (MemoSettings.Text) and null text (MemoSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes. | |
Items[i].Text (ListEditItem.Text) Items[i].Value (ListEditItem.Value) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | ||
SpinEditSettings.Properties.Caption SpinEditSettings.Properties.HelpText Buttons[i].Text (EditButton.Text) ClearButton.Text (EditButton.Text) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the SettingsBase.EncodeHtml property is set to false, the editor’s null text (SpinEditSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes. | |
If the SettingsBase.EncodeHtml property is set to false, the text box editor’s value (TextBoxSettings.Text) and null text (TextBoxSettings.Properties.NullText) are not executed and are converted into corresponding text for display purposes. | ||
TimeEditSettings.Properties.Caption TimeEditSettings.Properties.HelpText Buttons[i].Text (EditButton.Text) ClearButton.Text (EditButton.Text) CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark) CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark) | If the SettingsBase.EncodeHtml property is set to false, the editor’s null text (TimeEditSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes. | |
TokenBoxSettings.Properties.Tokens | If the SettingsBase.EncodeHtml property is set to false, the editor’s null text (TokenBoxSettings.Properties.NullText) is not executed and is converted into corresponding text for display purposes. To improve security, use the editor’s Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the SettingsBase.EncodeHtml property. Use the HttpUtility.HtmlEncode method to encode template content. | |
Item and tooltip texts. | ||
To encode error text within ASPxValidationSummary, set the corresponding editor’s EncodeHtml property to true. |
Data & Analytics
DevExpress ASP.NET MVC Extension | Extension’s element(s) for which the SettingsBase.EncodeHtml property is in effect | Notes |
---|---|---|
ContextMenuItems[i].Text (HtmlEditorContextMenuItem.Text) | The SettingsBase.EncodeHtml is not in effect for ToolbarItemPickerItem.Text and ToolbarItemPickerItem.Value. | |
Elements of the ribbon and popup control. | ||
Elements of the ribbon and popup control. | The component’s content is not encoded. |