Excluding a User Control Used in Master Page

Jul 22, 2009 at 3:45 PM
Edited Jul 22, 2009 at 3:46 PM

We've got a custom menu control that uses an ASP:Literal control to build an unordered list based menu from the sitemap file.  I am trying to exclude the user control from being processed with SRE with the following:

Exclude Path="/controls/ULMenu.ascx" />

This doesn't seem to have any affect. 

In fact, it doesn't look like anything I put in the Exclude has any affect.

Any help is greatly appreciated


Jul 22, 2009 at 5:01 PM

Hi Scott,

You cannot exclude a control like that. Configuration based exclusion only works with pages. So if the control is being only used in the sitemap file, try to exlcude the stiemap page.

 <Exclude Path="/sitemap.aspx" />


Jul 22, 2009 at 5:04 PM

The other option that I can think of is to use the SupressAntiXssEncoding() attribute. Use the following attribute above the control declaration. 



Jul 22, 2009 at 6:15 PM
Edited Jul 22, 2009 at 6:17 PM

Is this for the release version?

I am getting an error when I try the second option.  Here is what I have

The control in question is an asp:literal control.  I moved the control declaration out of the designer and into the code-behind.  When I tried this:


Protected WithEvents litMenuDisplay As Global.System.Web.UI.WebControls.Literal


I get the following error. "Error 1 Bracketed identifier is missing closing ']'.   The error indicator is underlining the opening bracket and "Microsoft".


Jul 22, 2009 at 7:54 PM

I figured out my problem.  The code you posted was c# and we are using vb.  I did have to place the attribute on the code behind class, however.  When I placed it before the literal control declaration, nothing changed.


Thanks for your help.

Jul 29, 2009 at 8:31 PM

Any idea why this doesn't disable encoding for the label control?


    <Microsoft.Security.Application.SecurityRuntimeEngine.SupressAntiXssEncoding()> _
    Protected WithEvents lblSystemErrorPanel As Global.System.Web.UI.WebControls.Label

It doesn't give me an error, but it html markup in the control is still encoded.  If I place the attribute before the page class, it works.  I just want to exclude the error label from automatic encoding.


Thanks again,




Jul 29, 2009 at 8:55 PM


Did you move the control declaration from .designer.cs to .cs file? Some times you have to move the declaration to the .cs file for the attribute to get affected.


Jul 30, 2009 at 12:45 PM

Yes, I moved it to the code behind.  I am using vb, not c#.

Jan 6, 2010 at 4:26 PM

Scott, Anil,

Did this ever get resolved ? I have the same issue with a control on a master page that I need to suppress. I can suppress other controls on pages so there's no problem with the mechanism itself - I just can't suppress the control when it is on a master page.



Jan 7, 2010 at 3:52 PM

Just in case anyone else is following this...

I switched to the November 2009 CTP of the Web Protection Library and the problem exists there as well.


Jan 7, 2010 at 8:52 PM


Looks like this might be a real issue with master pages and we will investigate further and take it up in the next release. Note that suppression handling was changed in WPL version of SRE. Scott, did you also try the WPL version of SRE. Here is a link for the connect website for downloading the CTP. https://connect.microsoft.com/site/sitehome.aspx?SiteID=734



From: gsmithferrier [mailto:notifications@codeplex.com]
Sent: Thursday, January 07, 2010 7:53 AM
Subject: Re: Excluding a User Control Used in Master Page [AntiXSS:63200]

From: gsmithferrier

Just in case anyone else is following this...

I switched to the November 2009 CTP of the Web Protection Library and the problem exists there as well.


Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com