AntiXssEncoder.HtmlEncode AntiXssEncoder.HtmlEncode AntiXssEncoder.HtmlEncode AntiXssEncoder.HtmlEncode Method

Definition

Encodes the specified string for use as text in HTML markup.

Overloads

HtmlEncode(String, Boolean) HtmlEncode(String, Boolean) HtmlEncode(String, Boolean) HtmlEncode(String, Boolean)

Encodes the specified string for use as text in HTML markup and optionally specifies whether to use HTML 4.0 named entities.

HtmlEncode(String, TextWriter) HtmlEncode(String, TextWriter) HtmlEncode(String, TextWriter) HtmlEncode(String, TextWriter)

Encodes the specified string for use as text in HTML markup and outputs the string by using the specified text writer.

HtmlEncode(String, Boolean) HtmlEncode(String, Boolean) HtmlEncode(String, Boolean) HtmlEncode(String, Boolean)

Encodes the specified string for use as text in HTML markup and optionally specifies whether to use HTML 4.0 named entities.

public:
 static System::String ^ HtmlEncode(System::String ^ input, bool useNamedEntities);
public static string HtmlEncode (string input, bool useNamedEntities);
static member HtmlEncode : string * bool -> string
Public Shared Function HtmlEncode (input As String, useNamedEntities As Boolean) As String

Parameters

input
String String String String

The string to encode.

useNamedEntities
Boolean Boolean Boolean Boolean

true to use HTML 4.0 named entities for certain character encodings; false to encode by using only &#DECIMAL; notation.

Returns

The encoded string.

Remarks

This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.

Note

Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page.

The following table lists the default safe characters.

Unicode code chart Character(s) Description
C0 Controls and Basic Latin A-Z Uppercase Latin alphabetic characters
C0 Controls and Basic Latin a-z Lowercase Latin alphabetic characters
C0 Controls and Basic Latin 0-9 Numbers
C0 Controls and Basic Latin (Space) Space
C0 Controls and Basic Latin ! Exclamation mark
C0 Controls and Basic Latin # Number sign, hash
C0 Controls and Basic Latin $ Dollar sign
C0 Controls and Basic Latin % Percent sign
C0 Controls and Basic Latin ( ) Parentheses
C0 Controls and Basic Latin * Asterisk
C0 Controls and Basic Latin + Plus sign
C0 Controls and Basic Latin , Comma
C0 Controls and Basic Latin - Hyphen, minus
C0 Controls and Basic Latin . Period, dot, full stop
C0 Controls and Basic Latin / Slash
C0 Controls and Basic Latin : Colon
C0 Controls and Basic Latin ; Semicolon
C0 Controls and Basic Latin = Equals sign
C0 Controls and Basic Latin ? Question mark
C0 Controls and Basic Latin @ Commercial at
C0 Controls and Basic Latin [ ] Square brackets
C0 Controls and Basic Latin \|Backslash
C0 Controls and Basic Latin ^ Caret
C0 Controls and Basic Latin _ Underscore
C0 Controls and Basic Latin ` Grave accent
C0 Controls and Basic Latin { } Braces, curly brackets
C0 Controls and Basic Latin | Vertical line
C0 Controls and Basic Latin ~ Tilde
C1 Controls and Latin-1 Supplement 0x00A1 - 0x00AC Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal). Characters in this range are encoded when useNamedEntities is true.
C1 Controls and Latin-1 Supplement 0x00AE - 0x00FF Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal). Characters in this range are encoded when useNamedEntities is true.
Latin Extended-A 0x0100 - 0x017F Latin extended characters between 0x0100 (256 decimal) and 0x017F (383 decimal).
Latin Extended-B 0x0180 - 0x024F Latin extended characters between 0x0180 (384 decimal) and 0x024F (591 decimal).
IPA Extensions 0x0250 - 0x02AF IPA Extension characters between 0x0250 (592 decimal) and 0x02AF (687 decimal).
Spacing Modifier Letters 0x02B0 - 0x02FF Spacing modifier letter characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal).
Combining Diacritical Marks 0x0300 - 0x036F Combining diacritical mark characters between 0x0300 (768 decimal) and 0x036F (879 decimal).

The following table lists examples of inputs and the corresponding encoded outputs.

alert('XSS Attack!'); alert('XSS Attack!');
<script>alert('XSS Attack!');</script> &lt;script&gt;alert(&#39;XSS Attack!&#39;);&lt;/script&gt;
alert('XSSあAttack!'); alert(&#39;XSS&#12354;Attack!&#39;);
user@contoso.com user@contoso.com
"Anti-Cross Site Scripting Namespace" &quot;Anti-Cross&#32;Site&#32;Scripting&#32;Namespace&quot;

To customize the safe list, call the MarkAsSafe method.

HtmlEncode(String, TextWriter) HtmlEncode(String, TextWriter) HtmlEncode(String, TextWriter) HtmlEncode(String, TextWriter)

Encodes the specified string for use as text in HTML markup and outputs the string by using the specified text writer.

protected public:
 override void HtmlEncode(System::String ^ value, System::IO::TextWriter ^ output);
protected internal override void HtmlEncode (string value, System.IO.TextWriter output);
override this.HtmlEncode : string * System.IO.TextWriter -> unit
Protected Friend Overrides Sub HtmlEncode (value As String, output As TextWriter)

Parameters

value
String String String String

The string to encode.

output
TextWriter TextWriter TextWriter TextWriter

The text writer to use to output the string.

Remarks

This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.

Note

Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page.

The following table lists the default safe characters.

Unicode code chart Character(s) Description
C0 Controls and Basic Latin A-Z Uppercase Latin alphabetic characters
C0 Controls and Basic Latin a-z Lowercase Latin alphabetic characters
C0 Controls and Basic Latin 0-9 Numbers
C0 Controls and Basic Latin (Space) Space
C0 Controls and Basic Latin ! Exclamation mark
C0 Controls and Basic Latin # Number sign, hash
C0 Controls and Basic Latin $ Dollar sign
C0 Controls and Basic Latin % Percent sign
C0 Controls and Basic Latin ( ) Parentheses
C0 Controls and Basic Latin * Asterisk
C0 Controls and Basic Latin + Plus sign
C0 Controls and Basic Latin , Comma
C0 Controls and Basic Latin - Hyphen, minus
C0 Controls and Basic Latin . Period, dot, full stop
C0 Controls and Basic Latin / Slash
C0 Controls and Basic Latin : Colon
C0 Controls and Basic Latin ; Semicolon
C0 Controls and Basic Latin = Equals sign
C0 Controls and Basic Latin ? Question mark
C0 Controls and Basic Latin @ Commercial at
C0 Controls and Basic Latin [ ] Square brackets
C0 Controls and Basic Latin \|Backslash
C0 Controls and Basic Latin ^ Caret
C0 Controls and Basic Latin _ Underscore
C0 Controls and Basic Latin ` Grave accent
C0 Controls and Basic Latin { } Braces, curly brackets
C0 Controls and Basic Latin | Vertical line
C0 Controls and Basic Latin ~ Tilde
C1 Controls and Latin-1 Supplement 0x00A1 - 0x00AC Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal). Characters in this range are encoded when useNamedEntities is true.
C1 Controls and Latin-1 Supplement 0x00AE - 0x00FF Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal). Characters in this range are encoded when useNamedEntities is true.
Latin Extended-A 0x0100 - 0x017F Latin extended characters between 0x0100 (256 decimal) and 0x017F (383 decimal).
Latin Extended-B 0x0180 - 0x024F Latin extended characters between 0x0180 (384 decimal) and 0x024F (591 decimal).
IPA Extensions 0x0250 - 0x02AF IPA Extension characters between 0x0250 (592 decimal) and 0x02AF (687 decimal).
Spacing Modifier Letters 0x02B0 - 0x02FF Spacing modifier letter characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal).
Combining Diacritical Marks 0x0300 - 0x036F Combining diacritical mark characters between 0x0300 (768 decimal) and 0x036F (879 decimal).

The following table lists examples of inputs and the corresponding encoded outputs.

alert('XSS Attack!'); alert(&#39;XSS&#32;Attack!&#39;);
<script>alert('XSS Attack!');</script> &lt;script&gt;alert(&#39;XSS Attack!&#39;);&lt;/script&gt;
alert('XSSあAttack!'); alert(&#39;XSS&#12354;Attack!&#39;);
user@contoso.com user@contoso.com
"Anti-Cross Site Scripting Namespace" &quot;Anti-Cross&#32;Site&#32;Scripting&#32;Namespace&quot;

To customize the safe list, call the MarkAsSafe method.

Applies to