1

I am trying to display an asp drop down list tag as a string as an asp tag in html:

<%= HttpUtility.HtmlDecode("<asp:DropDownList ID=\"day\" runat=\"server\"></asp:DropDownList>") %>

If I try to display a html tag as a string, like img tag it displays it perfectly, but with <asp:DropDownList...> it just would not display anything.

Please Help I am trying to solve it for 2 days already.

Improve this question

2 Answers 2

Reset to default
1

asp.net applications try to prevents cross site scripting attack so when we are putting a value directly to UI,i mean inner html a string which contain something like < > will be consider as cross script so it will not allow that.

Example :

string mystring="<asp:Button id="b1" Text="Submit" runat="server" />"

if we are trying to put this code directly to UI field then it will not allow us to do this

Note : we can off cross scripting feature in asp.net but it is not a good idea

Insted of asp controls you can use pure html controls then it will work. 

string mystring="<input type="button" id="b1" Text="Submit" runat="server" />"

Note : if you are allowing user to enter sensitive information to your program always think about cross site scripting attack you need to prevent it.

HttpUtility.HtmlDecode encode your string

html encoding is to prevent cross site script attacks so it will work

Note: Encode Output Use the HttpUtility.HtmlEncode method to encode output if it contains input from the user or from other sources such as databases. HtmlEncode replaces characters that have special meaning in HTML-to-HTML variables that represent those characters. For example, < is replaced with < and " is replaced with ". Encoded data does not cause the browser to execute code. Instead, the data is rendered as harmless HTML.

Ref :msdn

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Well that is exactly what I am doing, I use the HttpUtility.HtmlDecode so it should not cross scripting, but it appears that it is doing that.
@korkotyan if you allow user to enter something then curious about cross side scripting. he can enter a script rather than an original input and that script will may take your sensitive data. so always curious about cross site scripting
Thanks for the reply. Unfortunately I still do not understand how I can change the code so it will work without the cross scripting.
one wayyou can use htmldecode for doing that ..if you want more security check your inputs from user and make sure it does not containg any harmfull informatuons ..you can restrict some script opening tags like <> in your ui fields. also you can encryp the data coming from the user.
I think there is a misunderstanding here, I am not trying to get input from the user, just trying to insert asp tags to the html script, as I wrote on top.
|
0

Use the HtmlTextWriter Class and the RenderControl method.

Exp:

var finalHtmlTag = new StringBuilder(); 
var tempWriter= new StringWriter(finalHtmlTag ); 
var tempHtml= new HtmlTextWriter(tempWriter); 
YourConrol.RenderControl(tempHtml); 
var html = finalHtmlTag.ToString();
Improve this answer

1 Comment

Thank for the answer, I am sorry I forgot to mention that I am doing that in c#. But how can I implement it in the html file.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.