BuyLog In
Breaking Change T824370
Visible to All Users

Error text in grid-like controls is automatically encoded

Affected components:

  • ASP.NET WebForms and MVC GridView
  • ASP.NET WebForms and MVC CardView
  • ASP.NET WebForms and MVC VerticalGrid
  • ASP.NET WebForms and MVC TreeList
  • Bootstrap GridView
  • Bootstrap CardView

In previous versions, the default value of the ASPxGridBehaviorSettings.EncodeErrorHtml option was false. You had to manually enable the HTML encoding functionality to prevent script injection.
With this update, the ASPxGridBehaviorSettings.EncodeErrorHtml option's default value has been changed to true. The grid-like components (DevExpress GridView, CardView, VerticalGrid) automatically parse error texts (see the following API) that contain HTML code and convert potentially unsafe characters to their HTML-encoded equivalents.

This allows you to protect your application from cross-site scripting (XSS) attacks.

Now, the TreeList component also supports this functionality and provides a new TreeListSettingsBehavior.EncodeErrorHtml property that is enabled by default. This property allows you to encode error texts (TreeListNodeValidationEventArgs.NodeError and TreeListExtension.SetEditErrorText) in TreeList if necessary.

This change may affect your application.

To revert to the previous behavior, set the ASPxGridBehaviorSettings.EncodeErrorHtml option (for DevExpress GridView, CardView, and VerticalGrid) and TreeList's TreeListSettingsBehavior.EncodeErrorHtml options to false.

If you specify the errors text (ErrorText) in the data control's Validation event handler, you need to disable a data control's EncodeErrorHtml property and a column editor's EncodeHtml property.

WebForms:

ASPx
<dx:ASPxGridView ID="ASPxGridView1" runat="server" ...>
    ...
    <SettingsBehavior EncodeErrorHtml="false" />
</dx:ASPxGridView>

<dx:ASPxCardView ID="ASPxCardView1" runat="server" ...>
    ...
    <SettingsBehavior EncodeErrorHtml="false" />
</dx:ASPxCardView>

<dx:ASPxVerticalGrid ID="ASPxVerticalGrid1" runat="server" ...>
    ...
    <SettingsBehavior EncodeErrorHtml="false" />
</dx:ASPxVerticalGrid>

<dx:ASPxTreeList ID="ASPxTreeList1" runat="server" ...>
    ...
    <SettingsBehavior EncodeErrorHtml="false" />
</dx:ASPxTreeList>

MVC:

Razor
@Html.DevExpress().GridView(settings => {
    settings.Name = "GridView";
    settings.SettingsBehavior.EncodeErrorHtml = false;
    ...
}).GetHtml()  

@Html.DevExpress().CardView(settings => {
    settings.Name = "CardView";
    settings.SettingsBehavior.EncodeErrorHtml = false;
    ...
}).GetHtml()  

@Html.DevExpress().VerticalGrid(settings => {
    settings.Name = "VerticalGrid";
    settings.SettingsBehavior.EncodeErrorHtml = false;
    ...
}).GetHtml()  

@Html.DevExpress().TreeList(settings => {
    settings.Name = "TreeList";
    settings.SettingsBehavior.EncodeErrorHtml = false;
    ...
}).GetHtml()

Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.