Assigning values in Page_PreRender

Sep 21, 2010 at 2:03 PM

I have a user control that is assigning values to labels in Page_PreRender.  From another post it is recommended to use Page_PreRender instead of overriding OnPreRender.  However, even using Page_PreRender, the text is not encoded.  If I switch it to Page_Load, they are.  However the data is not available until after postbacks have been processed so I can't switch it to Page_Load.  Is it "too late" to have the AntiXssModule encode controls when if they are getting their values in Page_PreRender?

Sep 21, 2010 at 3:53 PM

Actually the AntiXSS module, in both the current release and the CTP both hook into Page_PreRender. What may be happening is the module is running before your event; but unfortunately there's no way to control the order in which the event handlers fire.

However I'm a little confused why you say your values are not available until pre-render - pre-render is the stage just before the controls are asked to turn themselves into HTML. Before that happens your user control should have handled any postback processing it needs.


Sep 21, 2010 at 5:11 PM

PreRender just happened to be the most convenient event to hook into that occurs after all of the PostBack events have fired (in this case button clicks).  The data shown in some of the labels is set by the outcome of some of the PostBack processing.  If I can't assign the value until PreRender, and if the AntiXssModule has already completed its pass through that control prior to then, my controls won't be encoded.

Sep 21, 2010 at 5:15 PM

This is, unfortunately, correct. You're going to have to manually encode within your user control.