HTML Encoding | ASP.NET MVC Extensions | DevExpress Documentation

Sep 27, 2023
9 minutes to read

Web browsers can interpret data that contains reserved characters as HTML markup and execute this data as a code. This may create security issues. You should encode data to protect your website from cross-site scripting (XSS) attacks.

DevExpress ASP.NET MVC extensions implement the EncodeHtml property that allows you to encode property values and content. When the EncodeHtml property is enabled, the extension displays HTML code as text. The extension uses the HttpUtility.HtmlEncode method to replace reserved characters (for example, < and >) with character entity references (< and >).

Unencoded Content

When an extension’s EncodeHtml property is set to true, the extension encodes data that is loaded from the data source and that users can select or edit.

The extension never encodes the following information:

Data that cannot be edited by users
Content specified in templates
Element content and values specified on the client

Call the Html.Encode method to encode values that may contain HTML markup:

@Html.DevExpress().ComboBox(settings => {
    settings.Name = "ComboBox";
    settings.Properties.TextField = "Name";
    settings.Properties.ValueField = "ID";
    settings.CallbackRouteValues = new { Controller = "Editors", Action = "ComboBoxPartial" };
    settings.SetItemTemplateContent((container) => {
        ViewContext.Writer.Write(
            "<div>" +
                Html.Encode(DataBinder.Eval(container.DataItem, "Name")) + "<br/>" +
                Html.Encode(DataBinder.Eval(container.DataItem, "Phone")) +
            "</div>"
        );
    });
}).BindList(Model).GetHtml()

Read the following sections for information on how DevExpress ASP.NET MVC extensions implement HTML encoding.

BinaryImage

The BinaryImage extension’s BinaryImageEditSettings.EncodeHtml property specifies whether to encode the following property values:

The BinaryImage extension does not encode the BinaryImageEditSettings.Properties.EditingSettings.DropZoneText property value. The extension renders this value as HTML markup. Call the Html.Encode method to encode it.

Button

The Button extension’s ButtonSettings.EncodeHtml property specifies whether to encode the ButtonSettings.Text property value.

ButtonEdit

The ButtonEdit extension’s ButtonEditSettings.EncodeHtml property specifies whether to encode the following property values:

Calendar

The Calendar extension’s CalendarSettings.EncodeHtml property specifies whether to encode the following property values:

Captcha

The Captcha extension’s CaptchaSettings.EncodeHtml property specifies whether to encode the following property values:

The Captcha extension does not encode the CaptchaSettings.LoadingPanel.Text property value. The extension renders this value as HTML markup. Call the Html.Encode method to encode it.

CardView

The CardView extension’s CardViewSettings.SettingsBehavior.EncodeErrorHtml property specifies whether to encode error texts. A column‘s PropertiesEdit.EncodeHtml property specifies whether to encode column cell values.

Set the SettingsCommandButton.EncodeHtml property to true to encode text strings displayed in command buttons.

CheckBox

The CheckBox extension’s CheckBoxSettings.EncodeHtml property specifies whether to encode the CheckBoxSettings.Text property value.

CheckBoxList

The CheckBoxList extension’s CheckBoxListSettings.EncodeHtml property specifies whether to encode the following property values:

Text of individual items
Value of individual items
CheckBoxListSettings.Properties.Caption
CheckBoxListSettings.Properties.CaptionSettings.OptionalMark
CheckBoxListSettings.Properties.CaptionSettings.RequiredMark

ColorEdit

The ColorEdit extension’s ColorEditSettings.EncodeHtml property specifies whether to encode the following property values:

ComboBox

The ComboBox extension’s ComboBoxSettings.EncodeHtml property specifies whether to encode the following property values:

Text of individual buttons
Text of individual items
Value of individual items
ComboBoxSettings.Properties.Caption
ComboBoxSettings.Properties.CaptionSettings.OptionalMark
ComboBoxSettings.Properties.CaptionSettings.RequiredMark
ComboBoxSettings.Properties.ClearButton.Text
ComboBoxSettings.Properties.DropDownButton.Text
ComboBoxSettings.Properties.HelpText

The ComboBox extension does not encode the following property values:

The extension renders these values as HTML markup. Call the Html.Encode method to encode them.

DateEdit

The DateEdit extension’s DateEditSettings.EncodeHtml property specifies whether to encode the following property values:

The DateEdit extension does not encode the DateEditSettings.Properties.SettingsAdaptivity.ModalDropDownCaption property value. The extension renders this value as HTML markup. Call the Html.Encode method to encode it.

DataView

The DataView extension’s DataViewSettings.EncodeHtml property specifies whether to encode the pager‘s button captions.

The DataView extension does not encode DataViewSettings.PagerSettings.ShowMoreItemsText and DataViewSettings.EmptyDataText property values. The extension renders these values as HTML markup. Call the Html.Encode method to encode them.

Diagram

The Diagram extension’s DiagramSettings.EncodeHtml property specifies whether to encode Title of individual custom shapes.

DropDownEdit

The DropDownEdit extension’s DropDownEditSettings.EncodeHtml property specifies whether to encode the following property values:

The extension does not encode the DropDownEditSettings.Properties.SettingsAdaptivity.ModalDropDownCaption property value. The DropDownEdit extension renders this value as HTML markup. Call the Html.Encode method to encode it.

FilterControl

A column‘s PropertiesEdit.EncodeHtml property specifies whether to encode column cell values in the FilterControl extension.

The FilterControl extension does not encode the following property values:

DisplayName of individual columns
PropertiesEdit.NullDisplayText of individual columns
MVCxFilterControlSettings.SettingsLoadingPanel.Text

The extension renders these values as HTML markup. Call the Html.Encode method to encode them.

FormLayout

The FormLayout extension’s FormLayoutSettings.EncodeHtml property specifies whether to encode Caption of individual items.

Gantt

The Gantt extension does not encode Caption of individual columns in the Task List. The extension renders these values as HTML markup. Call the Html.Encode method to encode them.

GridView

The GridView extension’s GridViewSettings.PreviewEncodeHtml property specifies whether to encode text strings displayed in preview rows. The GridViewSettings.SettingsBehavior.EncodeErrorHtml property specifies whether to encode the extension’s error texts.

A data column’s PropertiesEdit.EncodeHtml property specifies whether to encode column cell values. Enable the GridViewSettings.SettingsCommandButton.EncodeHtml property to encode text strings displayed in command buttons.

The GridView extension does not encode Caption of individual columns. The extension renders these property values as HTML markup. Call the Html.Encode method to encode them.

Hint

The Hint extension’s HintSettings.EncodeHtml property specifies whether to encode the following property values:

HtmlEditor

The HtmlEditor extension’s HtmlEditorSettings.EncodeHtml property specifies whether to encode the following property values:

The HtmlEditor extension does not encode Text and Value property values of individual toolbar custom items. The extension renders these values as HTML markup. Call the Html.Encode method to encode them.

HyperLink

The HyperLink extension’s HyperLinkSettings.EncodeHtml property specifies whether to encode the HyperLinkSettings.Properties.Text property value.

Image

The Image extension’s ImageEditSettings.EncodeHtml property specifies whether to encode the ImageEditSettings.Properties.Caption property value.

ImageGallery

The ImageGallery extension’s ImageGallerySettings.EncodeHtml property specifies whether to encode the following property values:

FullscreenViewerText of individual items
Text of individual items

The ImageGallery extension does not encode ImageGallerySettings.PagerSettings.ShowMoreItemsText and ImageGallerySettings.EmptyDataText property values. The extension renders these values as HTML markup. Call the Html.Encode method to encode them.

ImageSlider

The ImageSlider extension’s ImageSliderSettings.EncodeHtml property specifies whether to encode Text of individual items.

Label

The Label extension’s LabelSettings.EncodeHtml property specifies whether to encode the LabelSettings.Text property value.

ListBox

The ListBox extension’s ListBoxSettings.EncodeHtml property specifies whether to encode the following property values:

Text of individual items
Value of individual items
ListBoxSettings.Properties.Caption
ListBoxSettings.Properties.CaptionSettings.OptionalMark
ListBoxSettings.Properties.CaptionSettings.RequiredMark

The ListBox extension does not encode the following property values:

Caption of individual columns
ListBoxSettings.Properties.SelectAllText
ListBoxSettings.SettingsLoadingPanel.Text

The extension renders these values as HTML markup. Call the Html.Encode method to encode them.

Memo

The Memo extension’s MemoSettings.EncodeHtml property specifies whether to encode the following property values:

The Menu extension’s MenuSettings.EncodeHtml property specifies whether to encode Text of individual items.

The NavBar extension’s NavBarSettings.EncodeHtml property specifies whether to encode the following property values:

Text of individual groups
Text of individual group items

PageControl

The PageControl extension’s PageControlSettings.EncodeHtml property specifies whether to encode Text of individual tab pages.

PopupControl

The PopupControl extension’s PopupControlSettings.EncodeHtml property specifies whether to encode the following property values:

PopupMenu

The PopupMenu extension’s PopupMenuSettings.EncodeHtml property specifies whether to encode Text of individual items.

ProgressBar

The ProgressBar extension’s ProgressBarSettings.EncodeHtml property specifies whether to encode the ProgressBarSettings.Properties.Caption property value.

RadioButton

The RadioButton extension’s RadioButtonSettings.EncodeHtml property specifies whether to encode the RadioButtonSettings.Text property value.

RadioButtonList

The RadioButtonList extension’s RadioButtonListSettings.EncodeHtml property specifies whether to encode the following property values:

Text of individual items
Value of individual items
RadioButtonListSettings.Properties.Caption
RadioButtonListSettings.Properties.CaptionSettings.OptionalMark
RadioButtonListSettings.Properties.CaptionSettings.RequiredMark

Ribbon

The Ribbon extension’s RibbonSettings.EncodeHtml property specifies whether to encode the following property values:

Text of individual tabs
Text of individual tab groups
Text of individual group items

RichEdit

The RichEdit extension’s RichEditSettings.EncodeHtml property specifies whether to encode ribbon and popup control elements.

RoundPanel

The RoundPanel extension’s RoundPanelSettings.EncodeHtml property is not in effect, when the RoundPanelSettings.View property value is set to Standard. If this property value is set to GroupBox, the extension’s RoundPanelSettings.EncodeHtml property specifies whether to encode the RoundPanelSettings.HeaderText property value.

SpinEdit

The SpinEdit extension’s SpinEditSettings.EncodeHtml property specifies whether to encode the following property values:

Spreadsheet

The Spreadsheet extension’s SpreadsheetSettings.EncodeHtml property specifies whether to encode ribbon and popup control elements.

TabControl

The TabControl extension’s TabControlSettings.EncodeHtml property specifies whether to encode Text of individual tabs.

TextBox

The TextBox extension’s TextBoxSettings.EncodeHtml property specifies whether to encode the following property values:

TimeEdit

The TimeEdit extension’s TimeEditSettings.EncodeHtml property specifies whether to encode the following property values:

TokenBox

The TokenBox extension’s TokenBoxSettings.EncodeHtml property specifies whether to encode the following property values:

Text of individual items
Value of individual items
TokenBoxSettings.Properties.Caption
TokenBoxSettings.Properties.CaptionSettings.OptionalMark
TokenBoxSettings.Properties.CaptionSettings.RequiredMark
TokenBoxSettings.Properties.HelpText
TokenBoxSettings.Properties.Tokens

The TokenBox extension does not encode the TokenBoxSettings.SettingsLoadingPanel.Text property value. The extension renders this value as HTML markup. Call the Html.Encode method to encode it.

TrackBar

The TrackBar extension’s TrackBarSettings.EncodeHtml property specifies whether to encode the following property values:

Text of individual items
Tooltip of individual items
TrackBarSettings.Properties.Caption
TrackBarSettings.Properties.CaptionSettings.OptionalMark
TrackBarSettings.Properties.CaptionSettings.RequiredMark

TreeList

The TreeList extension’s TreeListSettings.PreviewEncodeHtml property specifies whether to encode text strings displayed in preview rows. The TreeListSettings.SettingsBehavior.EncodeErrorHtml property specifies whether to encode the extension’s error texts.

Set a column‘s PropertiesEdit.EncodeHtml property to true to encode column cell values.

TreeView

The TreeView extension’s TreeViewSettings.EncodeHtml property specifies whether to encode Text of individual nodes.

ValidationSummary

The ValidationSummary extension’s ValidationSummarySettings.EncodeHtml property specifies whether to encode the ValidationSummarySettings.HeaderText property value.

The extension summarizes validation errors from multiple editors and displays them in a single block. Set an editor’s EncodeHtml property to true to encode the editor’s error text in the ValidationSummary extension.

VerticalGrid

The VerticalGrid extension’s VerticalGridSettings.SettingsBehavior.EncodeErrorHtml property specifies whether to encode error texts. A row‘s PropertiesEdit.EncodeHtml property specifies whether to encode row cell values.

Set the VerticalGridSettings.SettingsCommandButton.EncodeHtml property to true to encode text strings displayed in command buttons.