0

It is interesting that the asp:Label in ItemTemplate converts the following value userId=%UserId%&param=%param% into userId=%UserId%¶m=%param%. It converts &para into .

The aspx code looks something like this, it uses asp:ObjectDataSource to get the data to bind:

<asp:DetailsView ID="dvLink" runat="server" DataSourceID="dsLink" AutoGenerateRows="False" DefaultMode="Insert" DataKeyNames="LinkId" OnModeChanged="dvLink_ModeChanged">
   <Fields>
        <asp:BoundField DataField="Description" HeaderText="Description" SortExpression="Description" />
        <asp:TemplateField HeaderText="Parameters" SortExpression="Parameters">
            <ItemTemplate>
                <asp:Label ID="lblParameters" runat="server" Text='<%# Bind("Parameters") %>'></asp:Label>
            </ItemTemplate>
            <EditItemTemplate>
                <asp:TextBox ID="tbParameters" runat="server" Text='<%# Bind("Parameters") %>' Width="500px"></asp:TextBox>
            </EditItemTemplate>
            <InsertItemTemplate>
                <asp:TextBox ID="tbParameters" runat="server" Text='<%# Bind("Parameters") %>' Width="500px"></asp:TextBox>
            </InsertItemTemplate>
        </asp:TemplateField>
        <asp:CommandField ShowEditButton="True" ShowInsertButton="True" />
    </Fields>
</asp:DetailsView>
<asp:ObjectDataSource ID="dsLink" runat="server" SelectMethod="GetLink"
    TypeName="LinkLib" InsertMethod="SaveLink"
    OnInserted="dsLink_Inserted" OnUpdated="dsLink_Updated"
    UpdateMethod="SaveLink" DataObjectTypeName="LinkLib">
    <SelectParameters>
        <asp:ControlParameter ControlID="gvLinks" Name="LinkId" PropertyName="SelectedValue"
            Type="Int32" />
        <asp:Parameter Name="auth" Type="Object" />
    </SelectParameters>
</asp:ObjectDataSource>

How can I escape &para during bind so it doesn't convert it into html code?

Sri Reddy
  • 6,832
  • 20
  • 70
  • 112
  • Please edit your question and add in the code segment that shows the value and how it gets assigned to the label., so we can see the "before" and "after". – devlin carnate Oct 06 '21 at 22:22
  • 1
    Does this help https://stackoverflow.com/questions/12306053/escape-html-entities-and-avoid-html-injection-in-webform-label – Greg Oct 06 '21 at 22:23
  • you can have apostrophe show if you you use ' – JobesK Oct 06 '21 at 23:01
  • Does this answer your question? [Escape HTML-entities and avoid HTML-injection in WebForm Label?](https://stackoverflow.com/questions/12306053/escape-html-entities-and-avoid-html-injection-in-webform-label) – devlin carnate Oct 07 '21 at 14:43

1 Answers1

0

Thanks to @Greg for pointing out to a right SO article, that solved the issue. Here is the solution, if someone has a similar issue:

I changed <asp:label> to <asp:Literal> to fix the issue. Also, make sure to use the following attribute Mode="Encode".

I replaced this aspx code

<ItemTemplate>
    <asp:Label ID="lblParameters" runat="server" Text='<%# Bind("Parameters") %>'></asp:Label>
</ItemTemplate>

to

<ItemTemplate>
    <asp:Literal ID="lblParameters" runat="server" Mode="Encode" Text='<%# Bind("Parameters") %>'></asp:Literal>
</ItemTemplate>
Sri Reddy
  • 6,832
  • 20
  • 70
  • 112