Which ASP.NET Controls Need HTML Encoding?
RV here...
Last time we saw some some real world XSS examples. This time we will look at which common ASP.NET controls require encoding. Some controls in ASP.NET automatically encode certain properties when rendered, not all the controls do the same. We looked at ASP.NET controls during AntiXss development and here are some common controls which need HTML encoding.
| Control Name | Property Name | Encoding Type |
| System.Web.UI.Page | Title | HTML |
| System.Web.UI.WebControls.CheckBox | Text | HTML |
| System.Web.UI.WebControls.CompareValidator | Text | HTML |
| System.Web.UI.WebControls.CustomValidator | Text | HTML |
| System.Web.UI.WebControls.DropDownList | Text | HTML |
| System.Web.UI.WebControls.HyperLink | Text | HTML |
| System.Web.UI.WebControls.Label | Text | HTML |
| System.Web.UI.WebControls.LinkButton | Text | HTML |
| System.Web.UI.WebControls.ListBox | Text | HTML |
| System.Web.UI.WebControls.ListControl | Text | HTML |
| System.Web.UI.WebControls.Literal | Text | HTML |
| System.Web.UI.WebControls.RadioButton | Text | HTML |
| System.Web.UI.WebControls.RadioButtonList | Text | HTML |
| System.Web.UI.WebControls.RangeValidator | Text | HTML |
| System.Web.UI.WebControls.RegularExpressionValidator | Text | HTML |
| System.Web.UI.WebControls.RequiredFieldValidator | Text | HTML |
Any time use pass data to these properties it should be encoded with AntiXss.HtmlEncode method. Note that the above table has Encoding type listed as HTML, not all properties need html encoding. For example, HyperLink.Text would need HTML encoding whereas HyperLink.NavigateUrl would need URL encoding. AntiXss is available as free download on MSDN. There are many other controls which need encoding. Sacha in his blog post attaches the list of all controls which need encoding. Check out the blog post attachments.
Comments
- Anonymous
September 16, 2008
PingBack from http://blog.a-foton.ru/2008/09/which-aspnet-controls-need-html-encoding/ - Anonymous
September 17, 2008
Ever wonder which controls need HTML encoding, this is a developer nightmare. We have looked at some - Anonymous
September 17, 2008
The comment has been removed - Anonymous
January 30, 2009
The file provided on http://www.microsoft.com/mspress/companion/0-7356-2187-X/ is out of date and my post provide the update to that exact content. This is also mentionned in the blog post.