ASP.NET User Controls, ObjectDataSources, and XSS

Question

I am working on a web project which includes a user control (.ascx) which is housed in a repeater on the containing .aspx page. There is a DataList on the user control which is dynamically bound in the code behind. Such that the parent page/repeater assigns the data (a List) to a property on the user control, which then assigns that source to the DataSource property of the DataList. Does this create a XSS vulnerability?

In the Repeater's ItemDataBound is a line:

<object>.DataSource = ((KeyValuePair<..., ...>)e.Item.DataItem).Value as <objecttype>;

In the codebehind of the .ascx (DataSource property):

MyDataList.DataSource = value;
MyDataList.DataBind();

Thanks much.

Answer 1

It really depends on your item template and how you're displaying the data. Where it comes from and it being in an ascx control is less important. I would recommend escaping the data in your ItemDataBound handler, when setting DataSource.

More detailed on MSDN for preventing XSS in ASP.NET: How To: Prevent Cross-Site Scripting in ASP.NET

Also see this other SO Question about the AntiXSS library: AntiXSS vs HtmlEncode