[Expand]General Information
[Expand]WinForms Controls
[Collapse]ASP.NET Controls and MVC Extensions
 [Expand]Prerequisites
 [Expand]What's Installed
 [Collapse]Common Concepts
  [Expand]Web.config Modifications
  [Expand]Callback Exception Handling
  [Expand]Client-Side Functionality
  [Expand]Cookies Support
  [Expand]Appearance Customization - Theming
   Icon Collection
  [Expand]Performance Optimization
  [Expand]CSS Image Sprites
   Data Annotation Attributes
   Supported Document Types
  [Expand]Accessibility Support
   Right to Left Support
   HTML Encoding
  [Expand]SharePoint Support
   Mobile Support
  [Expand]Office Document Management
   Cloud Storage Account Management
  [Expand]Web Farm and Web Garden Support
 [Expand]ASP.NET WebForms Controls
 [Expand]ASP.NET MVC Extensions
 [Expand]Localization
 [Expand]Redistribution and Deployment
  Get More Help
 [Expand]API Reference
[Expand]ASP.NET Bootstrap Controls
[Expand]ASP.NET Core Bootstrap Controls
[Expand]WPF Controls
[Expand]Xamarin Controls
[Expand]Windows 10 App Controls
[Expand]Office File API
[Expand]Reporting
[Expand]Report and Dashboard Server
[Expand]Dashboard
[Expand]eXpressApp Framework
[Expand]eXpress Persistent Objects
[Expand]CodeRush
[Expand]CodeRush Classic
[Expand]Cross-Platform Core Libraries
[Expand]Tools and Utilities
 End-User Documentation
View this topic on docs.devexpress.com (Learn more)

HTML Encoding

A website's rendered output should be HTML encoded within a page to protect it from cross-site scripting (XSS) attacks. This means that a page's HTML content should not contain potentially unsafe tags like <script> or <img> (for example, <img onload=...>).

Use the EncodeHtml property to HTML encode a DevExpress web control's value and element content. If the control's EncodeHtml property is set to true, the control's value and element content that contain HTML code are parsed. HTML tags' angle bracket (the characters < and >) are converted to specific symbols (&lt; and &gt;) when the control renders its value and elements to the page. This allows displaying the HTML code on the page as text. Note that the EncodeHtml property doesn't encode the control's value and elements specified on the client side.

Use the following links to navigate to the tables that provide information for which DevExpress control elements the corresponding EncodeHtml properties are in effect:

ASPxGridView, ASPxCardView, ASPxVerticalGrid, ASPxTreeList and ASPxFilterControl controls do not provide the EncodeHtml property. Use the following properties to encode data in these controls:

  • A column's EncodeHtml property allows you to HTML encode data columns' field values.

  • The ASPxGridBehaviorSettings.EncodeErrorHtml property specifies whether a grid renders its error texts as HTML or as text (removes HTML tags).

Expanded ASPxWebControl.EncodeHtml Property

DevExpress Web Control

Web control's element(s) for which the ASPxWebControl.EncodeHtml property is in effect

Notes

ASPxButton

ASPxButton.Text

ASPxCaptcha

CaptchaValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

RefreshButtonProperties.Text

CaptchaTextBoxProperties.LabelText

If the ASPxWebControl.EncodeHtml property is false, the control's null text (CaptchaTextBoxProperties.NullText) is not executed. It is converted into the corresponding text for display purposes.

ASPxBinaryImage

ASPxEditBase.Caption

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

ASPxValidationSummary

ASPxValidationSummary.HeaderText

Set the EncodeHtml property to true of the corresponding editor to encode an error text within the ASPxValidationSummary.

ASPxHtmlEditor

ContextMenuItems[i].Text (HtmlEditorContextMenuItem.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

ASPxDataView

ASPxPager's buttons texts

The ASPxWebControl.EncodeHtml property is not in effect for the ASPxDataView's item content. Encode the template HTML using the HttpUtility.HtmlEncode method as the item content is defined using templates.

The ASPxWebControl.EncodeHtml property is not in effect for the DataViewPagerSettings.ShowMoreItemsText and ASPxDataViewBase.EmptyDataText properties. These properties' values are not HTML encoded and are rendered as pure HTML markup.

ASPxPager

AllButton.Text (PagerButtonProperties.Text)

FirstPageButton.Text (PagerButtonProperties.Text)

LastPageButton.Text (PagerButtonProperties.Text)

NextPageButton.Text (PagerButtonProperties.Text)

PrevPageButton.Text (PagerButtonProperties.Text)

The ASPxWebControl.EncodeHtml property is not in effect for the page size item's caption (PageSizeItemSettings.Caption). This property value is not HTML encoded and is rendered as pure HTML markup.

ASPxHeadline

ASPxHeadline.ContentText

ASPxHeadline.HeaderText

The ASPxWebControl.EncodeHtml property is not in effect for the control's tail text (ASPxHeadline.TailText). This property value is not HTML encoded and is rendered as pure HTML markup.

The ASPxHeadline.MaxLength and ASPxHeadline.TailPosition (that is set to KeepWithLastWord) properties are not in effect if the ASPxWebControl.EncodeHtml property is set to false.

ASPxHint

ASPxHint.Content

ASPxHint.Title

The ASPxWebControl.EncodeHtml property is not in effect for the hint's content specified on the client side.

ASPxNewsControl

Items[i].HeaderText (NewsItem.HeaderText)

Items[i].Text (NewsItem.Text)

ASPxPager's buttons texts

The ASPxWebControl.EncodeHtml property is not in effect for the HeadlineSettings.TailText and ASPxDataViewBase.EmptyDataText properties. These properties' values are not HTML encoded and are rendered as pure HTML markup.

The ItemSettings.MaxLength (ASPxHeadline.MaxLength) and ItemSettings.TailPosition (HeadlineSettings.TailPosition that is set to KeepWithLastWord) properties are not in effect if the ASPxWebControl.EncodeHtml property is set to false.

ASPxImageGallery

Items[i].Text (ImageGalleryItem.Text)

Items[i].FullScreenViewerText (ImageGalleryItem.FullscreenViewerText)

The ASPxWebControl.EncodeHtml property is not in effect for the ASPxDataViewBase.EmptyDataText and ImageGalleryPagerSettings.ShowMoreItemsText properties. These properties' values are not HTML encoded and are rendered as pure HTML markup.

ASPxImageSlider

Items[i].Text (ImageSliderItem.Text)

ASPxMenu

Items[i].Text (MenuItem.Text)

ASPxPopupMenu

Items[i].Text (MenuItem.Text)

ASPxNavBar

Groups[i].Text (NavBarGroup.Text)

Groups[i].Items[i].Text (NavBarItem.Text)

ASPxPopupControl

ASPxPopupControlBase.HeaderText

ASPxPopupControlBase.FooterText

ASPxPopupControlBase.Text

ASPxPageControl

TabPages[i].Text (TabBase.Text)

ASPxTabControl

Tabs[i].Text (TabBase.Text)

ASPxCloudControl

Items[i].Text (CloudControlItem.Text)

The ASPxWebControl.EncodeHtml property is not in effect for the ASPxCloudControl.ItemBeginText and ASPxCloudControl.ItemEndText properties. These properties' values are not HTML encoded and are rendered as pure HTML markup.

ASPxTitleIndex

Items[i].Text (TitleIndexItem.Text)

The ASPxWebControl.EncodeHtml property is not in effect for the ASPxTitleIndex.NoDataText, FilterBox.Caption and FilterBox.InfoText properties. These properties' values are not HTML encoded and are rendered as pure HTML markup.

ASPxRibbon

Tabs[i].Text (RibbonTab.Text)

Tabs[i].Groups[i].Text (RibbonGroup.Text)

Tabs[i].Groups[i].Items[i].Text (RibbonItemBase.Text)

ASPxUploadControl

AddButton.Text (UploadControlButtonPropertiesBase.Text)

UploadButton.Text (UploadControlButtonPropertiesBase.Text)

RemoveButton.Text (UploadControlButtonPropertiesBase.Text)

BrowseButton.Text (UploadControlButtonPropertiesBase.Text)

CancelButton.Text (UploadControlButtonPropertiesBase.Text)

ASPxTreeView

Nodes[i].Text (TreeViewNode.Text)

ASPxRoundPanel

ASPxWebControl.EncodeHtml

The ASPxWebControl.EncodeHtml property is not in effect for the ASPxRoundPanel.HeaderText property. This property value is not HTML encoded and is rendered as pure HTML markup.

ASPxSpreadsheet

Elements of the ribbon and popup control

The control's content is encoded

ASPxRichEdit

Elements of the ribbon and popup control

Expanded EditPropertiesBase.EncodeHtml Property

DevExpress Web Control

Editor's element(s) for which the EditPropertiesBase.EncodeHtml property is in effect

Notes

ASPxCalendar

ASPxCalendar.ClearButtonText

ASPxCalendar.TodayButtonText

CalendarFastNavProperties.CancelButtonText

CalendarFastNavProperties.OkButtonText

ValidationSettings.ErrorText

ASPxLabel

ASPxLabel.Text

ASPxHyperLink

ASPxHyperLink.Text

ASPxCheckBox

ASPxCheckBox.Text

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

ASPxRadioButton

ASPxCheckBox.Text

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

ASPxCheckBoxList

Items[i].Text (ListEditItem.Text)

Items[i].Value (ListEditItem.Value)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

ASPxRadioButtonList

Items[i].Text (ListEditItem.Text)

Items[i].Value (ListEditItem.Value)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

ASPxColorEdit

buttons[i].Text (EditButton.Text)

ASPxEditBase.Caption

ASPxTextEdit.HelpText

DropDownButton.Text (EditButton.Text)

ClearButtonText.Text (EditButton.Text)

If the EditPropertiesBase.EncodeHtml property is set to false, the color editor's value (ASPxColorEdit.Value), null text (ASPxColorEdit.NullText) and OK/Cancel buttons (ASPxColorEdit.CancelButtonText/ASPxColorEdit.OkButtonText) are not executed and are converted into the corresponding text for display purposes.

ASPxSpinEdit

ASPxSpinEdit.Value

ASPxEditBase.Caption

ASPxTextEdit.HelpText

Buttons[i].Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the EditPropertiesBase.EncodeHtml property is set to false, the editor's null text (ASPxSpinEdit.NullText) is not executed and is converted into the corresponding text for display purposes.

ASPxComboBox

Items[i].Text (ListEditItem.Text)

Buttons[i].Text (EditButton.Text)

ASPxTextEdit.HelpText

DropDownButton.Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the EditPropertiesBase.EncodeHtml property is set to false, the editor's null text (ASPxAutoCompleteBoxBase.NullText) is not executed and is converted into the corresponding text for display purposes.

We recommended to use the editor's Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property for better security. Use the HttpUtility.HtmlEncode method to encode the template's content.

ASPxTokenBox

ASPxTokenBox.Tokens

ListEditItem.Text

ListEditItem.Value

ASPxEditBase.Caption

ASPxTextEdit.HelpText+

If the EditPropertiesBase.EncodeHtml property is set to false, the editor's null text (ASPxTextBox.NullText) is not executed and is converted into the corresponding text for display purposes.

We recommended to use the editor's Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property for better security. Use the HttpUtility.HtmlEncode method to encode the template's content.

ASPxListBox

Items[i].Text (ListEditItem.Text)

Items[i].Value (ListEditItem.Value)

ASPxEditBase.Caption

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

We recommended to use the editor's Item Template, and ItemTextCellPrepared and ItemRowPrepared events instead of the EditPropertiesBase.EncodeHtml property for better security. Use the HttpUtility.HtmlEncode method to encode the template's content.

ASPxDateEdit

ASPxEditBase.Caption

ASPxTextEdit.HelpText

Buttons[i].Text (EditButton.Text)

DropDownButton.Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

CalendarProperties.ClearButtonText

CalendarProperties.TodayButtonText

DateEditTimeSectionProperties.OkButtonText

DateEditTimeSectionProperties.CancelButtonText

DateEditTimeSectionProperties.CancelButtonText

CalendarFastNavProperties.OkButtonText

If the EditPropertiesBase.EncodeHtml property is set to false, the editor's null text (ASPxDateEdit.NullText) is not executed and is converted into the corresponding text for display purposes.

ASPxDropDownEdit

ASPxEditBase.Caption

ASPxTextEdit.HelpText

Buttons[i].Text (EditButton.Text)

DropDownButton.Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the EditPropertiesBase.EncodeHtml property is set to false, the editor's value (ASPxTextEdit.Text) and null text (ASPxDropDownEdit.NullText) are not executed and are converted into the corresponding texts for display purposes.

ASPxTimeEdit

ASPxEditBase.Caption

ASPxTextEdit.HelpText

Buttons[i].Text (EditButton.Text)

ClearButton.Text (EditButton.Text)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

If the EditPropertiesBase.EncodeHtml property is set to false, the editor's value (ASPxTimeEdit.Value) and null text (ASPxTimeEdit.NullText) are not executed and are converted into the corresponding texts for display purposes.

Expanded ASPxMemo.EncodeHtml Property

DevExpress Web Control

Web control's element(s) for which the ASPxMemo.EncodeHtml property is in effect

Notes

ASPxMemo

ASPxEditBase.Caption

ASPxTextEdit.HelpText

CaptionSettings.RequiredMark (EditorCaptionSettings.RequiredMark)

CaptionSettings.OptionalMark (EditorCaptionSettings.OptionalMark)

ValidationSettings.ErrorText

ValidationSettings.RequiredField.ErrorText (ValidationPattern.ErrorText)

If the ASPxMemo.EncodeHtml property is set to false, the editor's value (ASPxMemo.Text) and null text (ASPxMemo.NullText) are not executed and are converted into the corresponding texts for display purposes.

Expanded ASPxFormLayout.EncodeHtml Property

DevExpress Web Control Web control's element(s) for which the ASPxFormLayout.EncodeHtml property is in effect
ASPxFormLayout Items[i].Caption (LayoutItemBase.Caption)

Expanded ASPxPivotGrid.EncodeHtml Property

DevExpress Web Control

Web control's element(s) for which the ASPxPivotGrid.EncodeHtml property is in effect

ASPxPivotGrid

Cell values and column/row field values.

Pager's buttons texts (for more information, see for which elements of a pager the EncodeHtml property is in effect).

Expanded ASPxTextBoxBase.EncodeHtml Property

DevExpress Web Control

Editor's element(s) for which the ASPxTextBoxBase.EncodeHtml property is in effect

Notes

ASPxTextBox

ASPxEditBase.Caption

ValidationSettings.ErrorText

ASPxTextEdit.HelpText

If the ASPxTextBoxBase.EncodeHtml property is set to false, the text box editor's value (ASPxTextEdit.Text) and null text (ASPxTextBox.NullText) are not executed and are converted into the corresponding texts for display purposes.

ASPxButtonEdit

ASPxEditBase.Caption

ValidationSettings.ErrorText

ASPxTextEdit.HelpText

Buttons[i].Text (EditButton.Text)

If the ASPxTextBoxBase.EncodeHtml property is set to false, the button edit editor's value (ASPxTextEdit.Text) and null text (ASPxButtonEdit.NullText) are not executed and are converted into the corresponding texts for display purposes.

Expanded ASPxTrackBar.EncodeHtml Property

DevExpress Web Control

Web control's element(s) for which the ASPxTrackBar.EncodeHtml property is in effect

ASPxTrackBar

Item and tooltip texts.

Is this topic helpful?​​​​​​​