I am using a CheckBoxList in a VB.NET web project. The elements are pulled

Question

0

Asked: May 26, 20262026-05-26T14:55:27+00:00 2026-05-26T14:55:27+00:00

I am using a CheckBoxList in a VB.NET web project. The elements are pulled

0

I am using a CheckBoxList in a VB.NET web project. The elements are pulled from a DataSource which is populated elsewhere in the system.

The problem is, if someone put in some raw HTML, the CheckBoxList seems to render it rather than assume plain text.

In this screenshot, for example, I entered <a href="http://www.google.com" onmouseover="alert('123');">hover here</a> so now whenever you hover over that CheckBox, an alert window pops up. This seems like a potential for XSS and I would like to disable it altogether.

I have tried googling and searching SO for someway to disable HTML rendering such as this, but haven’t found anything relevant, so my apologies if this already has been answered elsewhere.

Thanks!

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-26T14:55:27+00:00

Editorial Team

2026-05-26T14:55:27+00:00Added an answer on May 26, 2026 at 2:55 pm

After binding the datasource, you should be able to iterate through each of the Items in the CheckboxList and use System.Web.HttpServerUtility.HtmlEncode to update each item’s Text property.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am using a CheckBoxList in a VB.NET web project. The elements are pulled

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply