BoundField.HtmlEncode Property

Updated: May 2011

Gets or sets a value indicating whether field values are HTML-encoded before they are displayed in a BoundField object.

Namespace:  System.Web.UI.WebControls
Assembly:  System.Web (in System.Web.dll)

Syntax

public virtual bool HtmlEncode { get; set; }

Property Value

Type: System.Boolean
true if field values are HTML-encoded before they are displayed in a BoundField object; otherwise, false. The default is true.

Remarks

Use the HtmlEncode property to specify whether field values are HTML-encoded to their respective string representations before they are displayed in a BoundField object. For example, if this property is true, the string "<script>" would be rendered as "&lt;script&gt;". If this property is false, the string would be rendered unchanged.

Note
HTML-encoding field values helps to prevent cross-site scripting attacks and malicious content from being displayed. This property should be enabled whenever possible.

Examples

The following code example demonstrates how to use the HtmlEncode property to prevent field values from being HTML-encoded before being displayed in a BoundField object.

<%@ Page language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
  <head runat="server">
    <title>BoundField Example</title>
</head>
<body>
    <form id="form1" runat="server">

      <h3>BoundField Example</h3>

      <asp:gridview id="CustomersGridView" 
        datasourceid="CustomersSqlDataSource" 
        autogeneratecolumns="false"
        allowpaging="true" 
        runat="server">

        <columns>
          <asp:boundfield datafield="CustomerID"
            readonly="true"      
            headertext="Customer ID"/>
          <asp:boundfield datafield="CompanyName"
            htmlencode="false"
            headertext="Customer Name"/>
          <asp:boundfield datafield="Address"
            htmlencode="false"
            headertext="Address"/>
          <asp:boundfield datafield="City"
            htmlencode="false"
            headertext="City"/>
          <asp:boundfield datafield="PostalCode"
            htmlencode="false"
            headertext="ZIP Code"/>
          <asp:boundfield datafield="Country"
            htmlencode="false"
            headertext="Country"/>
        </columns>

      </asp:gridview>

      <!-- This example uses Microsoft SQL Server and connects  -->
      <!-- to the Northwind sample database. Use an ASP.NET     -->
      <!-- expression to retrieve the connection string value   -->
      <!-- from the Web.config file.                            -->
      <asp:sqldatasource id="CustomersSqlDataSource"  
        selectcommand="Select [CustomerID], [CompanyName], [Address], [City], [PostalCode], [Country] From [Customers]"
        connectionstring="<%$ ConnectionStrings:NorthWindConnectionString%>"
        runat="server">
      </asp:sqldatasource>

    </form>
  </body>
</html>

Version Information

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0

Platforms

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

See Also

Reference

BoundField Class

System.Web.UI.WebControls Namespace

HttpServerUtility.HtmlEncode

SupportsHtmlEncode

Change History

Date	History	Reason
May 2011	Clarified how strings that contains markup are rendered.	Customer feedback.