Which ASP.NET Controls Need HTML Encoding?


RV here…

Last time we saw some some real world XSS examples. This time we will look at which common ASP.NET controls require encoding. Some controls in ASP.NET automatically encode certain properties when rendered, not all the controls do the same. We looked at ASP.NET controls during AntiXss development and here are some common controls which need HTML encoding.

Control Name Property Name Encoding Type
System.Web.UI.Page Title HTML
System.Web.UI.WebControls.CheckBox Text HTML
System.Web.UI.WebControls.CompareValidator Text HTML
System.Web.UI.WebControls.CustomValidator Text HTML
System.Web.UI.WebControls.DropDownList Text HTML
System.Web.UI.WebControls.HyperLink Text HTML
System.Web.UI.WebControls.Label Text HTML
System.Web.UI.WebControls.LinkButton Text HTML
System.Web.UI.WebControls.ListBox Text HTML
System.Web.UI.WebControls.ListControl Text HTML
System.Web.UI.WebControls.Literal Text HTML
System.Web.UI.WebControls.RadioButton Text HTML
System.Web.UI.WebControls.RadioButtonList Text HTML
System.Web.UI.WebControls.RangeValidator Text HTML
System.Web.UI.WebControls.RegularExpressionValidator Text HTML
System.Web.UI.WebControls.RequiredFieldValidator Text HTML

Any time use pass data to these properties it should be encoded with AntiXss.HtmlEncode method. Note that the above table has Encoding type listed as HTML, not all properties need html encoding. For example, HyperLink.Text would need HTML encoding whereas HyperLink.NavigateUrl would need URL encoding. AntiXss is available as free download on MSDN. There are many other controls which need encoding. Sacha in his blog post attaches the list of all controls which need encoding. Check out the blog post attachments.

Comments (4)

  1. Anonymous says:

    Ever wonder which controls need HTML encoding, this is a developer nightmare. We have looked at some

  2. Anonymous says:

    I tried to post a comment on Sacha’s blog, but it was never approved.  In summary, his post was a direct copy of the material available from the Microsoft Press book, "Hunting Security Bugs".

    It is available instead of HTML, as an Excel spreadsheet, from http://www.microsoft.com/mspress/companion/0-7356-2187-X/

    I have been using it for years for this purpose, and I have heard that others have as well.

    I also said that it would be nice to identify sources and sinks in that spreadsheet format, without having to dig into the XSSDetect tool or Guidance Explorer.  As you state, it would be also nice to know which type of encoding (URL, HTML, or Script) needs application and where.

  3. TheFaust says:

    The file provided on http://www.microsoft.com/mspress/companion/0-7356-2187-X/ is out of date and my post provide the update to that exact content. This is also mentionned in the blog post.