I find that the HTML encoding of asp web controls are inconsistent.
Say, I want to show the string "<script> alter("test") <script>". For a
"BoundColumn" used in DataGrid, I get an *real alert box* instead
of the string. In order for it to be shown correctly, I have to call
"Server.HtmlEncode" before set the text.
But if I use "asp:TextBox" control, I can not do "Server.HtmlEncode"
before I set the text. Otherwise, I will see this on my web page: "<..."
Is there a general rule, or documentation of which controls will do HTML
encoding automatically, which don't?
Thanks,
Guogang
No comments:
Post a Comment