BUG: InnerText and InnerHTML Encoding Does Not Work as Expected

When you use the InnerHtml property of a HtmlTextArea control on the server side to prevent automatic encoding that is performed with ASP.NET, the InnerHtml property does not prevent the encoding of special characters to HTML entities. For example, when the InnerHtml property is set to <b>Hello</b>, the angle bracket characters (< and >) are converted to &lt; and &gt; respectively, and the text displayed on the page is <b> Hello </b>.

When you use the InnerText property of a HtmlTextArea control on the server side to provide automatic HTML encoding, the InnerText property does not encode special characters to HTML entities. For example, when the InnerText property is set to <b>Hello</b>, the angle bracket characters (< and >) are not converted to &lt; and &gt; respectively. Because of this, the browser detects the <b> tags and displays the text "Hello" in bold type.

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

When the InnerHtml property of HtmlContainerControl is used to set special characters, it automatically encodes special characters to and from HTML entities. For more information about this control, visit the following Microsoft Developer Network (MSDN) Web site:

Steps to Reproduce the Behavior

1. In Microsoft Visual Studio .NET, create a new ASP.NET Web Application project by using Microsoft Visual Basic .NET or Microsoft Visual C# .NET. By default, WebForm1.aspx is created.
2. Right-click WebForm1, and then click View HTML.
3. Replace the existing code with the following code:

   Visual Basic .NET

   <%@ Page Language="vb" %>
   <HTML>
      <HEAD>
         <script language="vb" runat="server">
            Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)
               Response.Write(TEXTAREA1.InnerHtml)
            End Sub
   
            Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)
               Response.Write(TEXTAREA1.InnerText)
            End Sub
         </script>
      </HEAD>
      <body>
         <form id="Form1" method="post" runat="server">
            <P>&nbsp;</P>
            <P>&nbsp;</P>
            <P><TEXTAREA id="TEXTAREA1" name="TEXTAREA1" rows="2" cols="20" runat="server">
               </TEXTAREA></P>
            <P>
               <asp:Button id="Button1" runat="server" Text="InnerHtml" OnClick="Button1_Click"></asp:Button>&nbsp;
               <asp:Button id="Button2" runat="server" Text="InnerText" OnClick="Button2_Click"></asp:Button></P>
         </form>
      </body>
   </HTML>

   Visual C# .NET

   <%@ Page Language="C#" %>
   <HTML>
      <HEAD>
         <script language=C# runat="server">
            private void Button1_Click(System.Object sender, System.EventArgs e)
            {
               Response.Write(TEXTAREA1.InnerHtml);
            }
   
            private void Button2_Click(System.Object sender, System.EventArgs e)
            {
               Response.Write(TEXTAREA1.InnerText);
            }
         </script>
      </HEAD>
      <body>
         <form id="Form1" method="post" runat="server">
            <P>&nbsp;</P>
            <P>&nbsp;</P>
            <P><TEXTAREA id="TEXTAREA1" name="TEXTAREA1" rows="2" cols="20" runat="server">
               </TEXTAREA></P>
            <P>
               <asp:Button id="Button1" runat="server" Text="InnerHtml" OnClick="Button1_Click"></asp:Button>&nbsp;
               <asp:Button id="Button2" runat="server" Text="InnerText" OnClick="Button2_Click"></asp:Button></P>
         </form>
      </body>
   </HTML>

   Note Add ValidateRequest="false" attributes to the @Page directive in ASP.NET version 1.1.
4. On the Debug menu, click Start to run the application.
5. In the text area, type <b>Hello</b>, and then click InnerHtml or InnerText.

For more information about the InnerHtml property, visit the following MSDN Web site: