Which ASP.NET Controls Need HTML Encoding?
RV here...
Last time we saw some some real world XSS examples. This time we will look at which common ASP.NET controls require encoding. Some controls in ASP.NET automatically encode certain properties when rendered, not all the controls do the same. We looked at ASP.NET controls during AntiXss development and here are some common controls which need HTML encoding.
Control Name | Property Name | Encoding Type |
System.Web.UI.Page | Title | HTML |
System.Web.UI.WebControls.CheckBox | Text | HTML |
System.Web.UI.WebControls.CompareValidator | Text | HTML |
System.Web.UI.WebControls.CustomValidator | Text | HTML |
System.Web.UI.WebControls.DropDownList | Text | HTML |
System.Web.UI.WebControls.HyperLink | Text | HTML |
System.Web.UI.WebControls.Label | Text | HTML |
System.Web.UI.WebControls.LinkButton | Text | HTML |
System.Web.UI.WebControls.ListBox | Text | HTML |
System.Web.UI.WebControls.ListControl | Text | HTML |
System.Web.UI.WebControls.Literal | Text | HTML |
System.Web.UI.WebControls.RadioButton | Text | HTML |
System.Web.UI.WebControls.RadioButtonList | Text | HTML |
System.Web.UI.WebControls.RangeValidator | Text | HTML |
System.Web.UI.WebControls.RegularExpressionValidator | Text | HTML |
System.Web.UI.WebControls.RequiredFieldValidator | Text | HTML |
Any time use pass data to these properties it should be encoded with AntiXss.HtmlEncode method. Note that the above table has Encoding type listed as HTML, not all properties need html encoding. For example, HyperLink.Text would need HTML encoding whereas HyperLink.NavigateUrl would need URL encoding. AntiXss is available as free download on MSDN. There are many other controls which need encoding. Sacha in his blog post attaches the list of all controls which need encoding. Check out the blog post attachments.