Condividi tramite


Which ASP.NET Controls Automatically Encodes?

I've had a lot of people ask me which ASP.NET control offers automatic html encoding and the answer I had for a long time was to look at MSDN or even write a quick sample and test the behavior. If you are asking yourself the same question, you can now use the attached document to see if the control if offering the appropriate encoding. The document list all asp.net control and which property offers html, script or url encoding. You can also see which html attribute the property is bound to. This document is quite useful when you are reviewing your code for possible Cross-Site Scripting (XSS) or double encoding problems.

Side note

I was made aware that the initial content was provided as part of the companion content for the excellent book Hunting for Security bugs available at https://www.microsoft.com/mspress/companion/0-7356-2187-X/. The file attached to this is indeed base on the same content since I received it internally by the author's team. I found some slight issues and made some changes. I recommend the file I provide until the book companio content gets updated.

asp.net_control_encoding.htm

Comments

  • Anonymous
    September 02, 2008
    To be honest, it's rather incomprehensible why a control called Literal (I mean, it's right there in the name) escapes by default, but something innocuously called Label doesn't!

  • Anonymous
    September 03, 2008
    can you post list of asp.net server controls that don't need to be wrapped by <form> tag on the page?

  • Anonymous
    September 18, 2008
    In my previous post , I provided a list of which ASP.NET HTML control property that offers automatic

  • Anonymous
    October 09, 2008
    Sacha, Great post!! I recon this list is for the 3.5 framework controls? Furthermore, you know if its possible to make the controls use the AntiXSS library instead of standard HtmlEncoding?

  • Anonymous
    January 15, 2014
    In MVC exists an HTML Helper to interpreter a html special characters. This is @Html.Raw(Variable)

  • Anonymous
    August 14, 2015
    Why isn't this encoding information part of the documentation of each property?