Which ASP.NET Controls Automatically Encodes?

I've had a lot of people ask me which ASP.NET control offers automatic html encoding and the answer I had for a long time was to look at MSDN or even write a quick sample and test the behavior. If you are asking yourself the same question, you can now use the attached document to see if the control if offering the appropriate encoding. The document list all asp.net control and which property offers html, script or url encoding. You can also see which html attribute the property is bound to. This document is quite useful when you are reviewing your code for possible Cross-Site Scripting (XSS) or double encoding problems.

Side note

I was made aware that the initial content was provided as part of the companion content for the excellent book Hunting for Security bugs available at http://www.microsoft.com/mspress/companion/0-7356-2187-X/. The file attached to this is indeed base on the same content since I received it internally by the author's team. I found some slight issues and made some changes. I recommend the file I provide until the book companio content gets updated.


Comments (6)
  1. int19h says:

    To be honest, it’s rather incomprehensible why a control called Literal (I mean, it’s right there in the name) escapes by default, but something innocuously called Label doesn’t!

  2. dpwebs says:

    can you post list of asp.net server controls that don’t need to be wrapped by <form> tag on the page?

  3. In my previous post , I provided a list of which ASP.NET HTML control property that offers automatic

  4. owingruters says:


    Great post!!

    I recon this list is for the 3.5 framework controls?

    Furthermore, you know if its possible to make the controls use the AntiXSS library instead of standard HtmlEncoding?

  5. Superman 7 says:

    In MVC exists an HTML Helper to interpreter a html special characters. This is @Html.Raw(Variable)

  6. Chris Conti says:

    Why isn't this encoding information part of the documentation of each property?

Comments are closed.

Skip to main content