Edit

Share via


AntiXssEncoder.HtmlEncode Method

Definition

Encodes the specified string for use as text in HTML markup.

Overloads

HtmlEncode(String, Boolean)

Encodes the specified string for use as text in HTML markup and optionally specifies whether to use HTML 4.0 named entities.

HtmlEncode(String, TextWriter)

Encodes the specified string for use as text in HTML markup and outputs the string by using the specified text writer.

HtmlEncode(String, Boolean)

Encodes the specified string for use as text in HTML markup and optionally specifies whether to use HTML 4.0 named entities.

public:
 static System::String ^ HtmlEncode(System::String ^ input, bool useNamedEntities);
public static string HtmlEncode (string input, bool useNamedEntities);
static member HtmlEncode : string * bool -> string
Public Shared Function HtmlEncode (input As String, useNamedEntities As Boolean) As String

Parameters

input
String

The string to encode.

useNamedEntities
Boolean

true to use HTML 4.0 named entities for certain character encodings; false to encode by using only &#DECIMAL; notation.

Returns

The encoded string.

Remarks

This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.

Note

Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page.

The following table lists the default safe characters. All characters are from the Unicode C0 Controls and Basic Latin character range unless noted in the Description column.

Character(s) Description
A-Z Uppercase Latin alphabetic characters
a-z Lowercase Latin alphabetic characters
0-9 Numbers
(Space) Space
! Exclamation mark
# Number sign, hash
$ Dollar sign
% Percent sign
( ) Parentheses
* Asterisk
+ Plus sign
, Comma
- Hyphen, minus
. Period, dot, full stop
/ Slash
: Colon
; Semicolon
= Equals sign
? Question mark
@ Commercial at
[ ] Square brackets
\ Backslash
^ Caret
_ Underscore
` Grave accent
{ } Braces, curly brackets
| Vertical line
~ Tilde
0x00A1 - 0x00AC Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal) from the Unicode C1 Controls and Latin-1 Supplement character range. Characters in this range are encoded when useNamedEntities is true.
0x00AE - 0x00FF Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal) from the Unicode C1 Controls and Latin-1 Supplement character range. Characters in this range are encoded when useNamedEntities is true.
0x0100 - 0x017F Characters between 0x0100 (256 decimal) and 0x017F (383 decimal). (The Unicode Latin-Extended-A character range.)
0x0180 - 0x024F Characters between 0x0180 (384 decimal) and 0x024F (591 decimal). (The Unicode Latin-Extended-B character range.)
0x0250 - 0x02AF Characters between 0x0250 (592 decimal) and 0x02AF (687 decimal). (The Unicode IPA Extensions character range.)
0x02B0 - 0x02FF Characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal). (The Unicode Spacing Modifier Letters character range.)
0x0300 - 0x036F Characters between 0x0300 (768 decimal) and 0x036F (879 decimal). (The Unicode Combining Diacritical Marks character range.)

The following table lists examples of inputs and the corresponding encoded outputs.

alert('XSS Attack!'); alert('XSS Attack!');
<script>alert('XSS Attack!');</script> &lt;script&gt;alert(&#39;XSS Attack!&#39;);&lt;/script&gt;
alert('XSSあAttack!'); alert(&#39;XSS&#12354;Attack!&#39;);
user@contoso.com user@contoso.com
"Anti-Cross Site Scripting Namespace" &quot;Anti-Cross&#32;Site&#32;Scripting&#32;Namespace&quot;

To customize the safe list, call the MarkAsSafe method.

Applies to

HtmlEncode(String, TextWriter)

Encodes the specified string for use as text in HTML markup and outputs the string by using the specified text writer.

protected public:
 override void HtmlEncode(System::String ^ value, System::IO::TextWriter ^ output);
protected internal override void HtmlEncode (string value, System.IO.TextWriter output);
override this.HtmlEncode : string * System.IO.TextWriter -> unit
Protected Friend Overrides Sub HtmlEncode (value As String, output As TextWriter)

Parameters

value
String

The string to encode.

output
TextWriter

The text writer to use to output the string.

Remarks

This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.

Note

Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page.

The following table lists the default safe characters. All characters are from the Unicode C0 Controls and Basic Latin character range unless noted in the Description column.

Character(s) Description
A-Z Uppercase Latin alphabetic characters
a-z Lowercase Latin alphabetic characters
0-9 Numbers
(Space) Space
! Exclamation mark
# Number sign, hash
$ Dollar sign
% Percent sign
( ) Parentheses
* Asterisk
+ Plus sign
, Comma
- Hyphen, minus
. Period, dot, full stop
/ Slash
: Colon
; Semicolon
= Equals sign
? Question mark
@ Commercial at
[ ] Square brackets
\ Backslash
^ Caret
_ Underscore
` Grave accent
{ } Braces, curly brackets
| Vertical line
~ Tilde
0x00A1 - 0x00AC Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal) from the Unicode C1 Controls and Latin-1 Supplement character range. Characters in this range are encoded when useNamedEntities is true.
0x00AE - 0x00FF Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal) from the Unicode C1 Controls and Latin-1 Supplement character range. Characters in this range are encoded when useNamedEntities is true.
0x0100 - 0x017F Characters between 0x0100 (256 decimal) and 0x017F (383 decimal). (The Unicode Latin-Extended-A character range.)
0x0180 - 0x024F Characters between 0x0180 (384 decimal) and 0x024F (591 decimal). (The Unicode Latin-Extended-B character range.)
0x0250 - 0x02AF Characters between 0x0250 (592 decimal) and 0x02AF (687 decimal). (The Unicode IPA Extensions character range.)
0x02B0 - 0x02FF Characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal). (The Unicode Spacing Modifier Letters character range.)
0x0300 - 0x036F Characters between 0x0300 (768 decimal) and 0x036F (879 decimal). (The Unicode Combining Diacritical Marks character range.)

The following table lists examples of inputs and the corresponding encoded outputs.

alert('XSS Attack!'); alert(&#39;XSS&#32;Attack!&#39;);
<script>alert('XSS Attack!');</script> &lt;script&gt;alert(&#39;XSS Attack!&#39;);&lt;/script&gt;
alert('XSSあAttack!'); alert(&#39;XSS&#12354;Attack!&#39;);
user@contoso.com user@contoso.com
"Anti-Cross Site Scripting Namespace" &quot;Anti-Cross&#32;Site&#32;Scripting&#32;Namespace&quot;

To customize the safe list, call the MarkAsSafe method.

Applies to