RV here...

Last time we saw some some real world XSS examples. This time we will look at which common ASP.NET controls require encoding. Some controls in ASP.NET automatically encode certain properties when rendered, not all the controls do the same. We looked at ASP.NET controls during AntiXss development and here are some common controls which need HTML encoding.

Control Name Property Name Encoding Type
System.Web.UI.Page Title HTML
System.Web.UI.WebControls.CheckBox Text HTML
System.Web.UI.WebControls.CompareValidator Text HTML
System.Web.UI.WebControls.CustomValidator Text HTML
System.Web.UI.WebControls.DropDownList Text HTML
System.Web.UI.WebControls.HyperLink Text HTML
System.Web.UI.WebControls.Label Text HTML
System.Web.UI.WebControls.LinkButton Text HTML
System.Web.UI.WebControls.ListBox Text HTML
System.Web.UI.WebControls.ListControl Text HTML
System.Web.UI.WebControls.Literal Text HTML
System.Web.UI.WebControls.RadioButton Text HTML
System.Web.UI.WebControls.RadioButtonList Text HTML
System.Web.UI.WebControls.RangeValidator Text HTML
System.Web.UI.WebControls.RegularExpressionValidator Text HTML
System.Web.UI.WebControls.RequiredFieldValidator Text HTML

Any time use pass data to these properties it should be encoded with AntiXss.HtmlEncode method. Note that the above table has Encoding type listed as HTML, not all properties need html encoding. For example, HyperLink.Text would need HTML encoding whereas HyperLink.NavigateUrl would need URL encoding. AntiXss is available as free download on MSDN. There are many other controls which need encoding. Sacha in his blog post attaches the list of all controls which need encoding. Check out the blog post attachments.