Kevin Frey wrote:
Correction. I meant HtmlEncode.
"Kevin Frey" <ke**********@hotmail.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl... Can anyone tell me the logical reason for the above. I've read the
documentation and made note of the fact that the Label might be used to
display user input, which might be malicious script etc, but I'd like to
know why the content isn't UrlEncoded for a Label control?
If one wants unencoded strings, shouldn't one be using LiteralControl
instead?
Short answer, the ASP.NET tags render as normal HTML controls (that your
web browser understands hence displays). These controls (text, textarea,
etc) pass plain text (it's the browser's behavior). It's been like that
since day 1. I don't see why they should/would HtmlEncode the text
either (and when you need it to, it's just a short string).