AntiXssEncoder.HtmlEncode Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Encodes the specified string for use as text in HTML markup.
Overloads
| HtmlEncode(String, Boolean) |
Encodes the specified string for use as text in HTML markup and optionally specifies whether to use HTML 4.0 named entities. |
| HtmlEncode(String, TextWriter) |
Encodes the specified string for use as text in HTML markup and outputs the string by using the specified text writer. |
HtmlEncode(String, Boolean)
Encodes the specified string for use as text in HTML markup and optionally specifies whether to use HTML 4.0 named entities.
public:
static System::String ^ HtmlEncode(System::String ^ input, bool useNamedEntities);public static string HtmlEncode (string input, bool useNamedEntities);static member HtmlEncode : string * bool -> stringPublic Shared Function HtmlEncode (input As String, useNamedEntities As Boolean) As StringParameters
- input
- String
The string to encode.
- useNamedEntities
- Boolean
true to use HTML 4.0 named entities for certain character encodings; false to encode by using only &#DECIMAL; notation.
Returns
The encoded string.
Remarks
This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.
Note
Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page.
The following table lists the default safe characters. All characters are from the Unicode C0 Controls and Basic Latin character range unless noted in the Description column.
| Character(s) | Description |
|---|---|
| A-Z | Uppercase Latin alphabetic characters |
| a-z | Lowercase Latin alphabetic characters |
| 0-9 | Numbers |
| (Space) | Space |
| ! | Exclamation mark |
| # | Number sign, hash |
| $ | Dollar sign |
| % | Percent sign |
| ( ) | Parentheses |
| * | Asterisk |
| + | Plus sign |
| , | Comma |
| - | Hyphen, minus |
| . | Period, dot, full stop |
| / | Slash |
| : | Colon |
| ; | Semicolon |
| = | Equals sign |
| ? | Question mark |
| @ | Commercial at |
| [ ] | Square brackets |
| \ | Backslash |
| ^ | Caret |
| _ | Underscore |
| ` | Grave accent |
| { } | Braces, curly brackets |
| | | Vertical line |
| ~ | Tilde |
| 0x00A1 - 0x00AC | Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal) from the Unicode C1 Controls and Latin-1 Supplement character range. Characters in this range are encoded when useNamedEntities is true. |
| 0x00AE - 0x00FF | Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal) from the Unicode C1 Controls and Latin-1 Supplement character range. Characters in this range are encoded when useNamedEntities is true. |
| 0x0100 - 0x017F | Characters between 0x0100 (256 decimal) and 0x017F (383 decimal). (The Unicode Latin-Extended-A character range.) |
| 0x0180 - 0x024F | Characters between 0x0180 (384 decimal) and 0x024F (591 decimal). (The Unicode Latin-Extended-B character range.) |
| 0x0250 - 0x02AF | Characters between 0x0250 (592 decimal) and 0x02AF (687 decimal). (The Unicode IPA Extensions character range.) |
| 0x02B0 - 0x02FF | Characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal). (The Unicode Spacing Modifier Letters character range.) |
| 0x0300 - 0x036F | Characters between 0x0300 (768 decimal) and 0x036F (879 decimal). (The Unicode Combining Diacritical Marks character range.) |
The following table lists examples of inputs and the corresponding encoded outputs.
alert('XSS Attack!'); |
alert('XSS Attack!'); |
<script>alert('XSS Attack!');</script> |
<script>alert('XSS Attack!');</script> |
alert('XSSあAttack!'); |
alert('XSSあAttack!'); |
user@contoso.com |
user@contoso.com |
"Anti-Cross Site Scripting Namespace" |
"Anti-Cross Site Scripting Namespace" |
To customize the safe list, call the MarkAsSafe method.
Applies to
HtmlEncode(String, TextWriter)
Encodes the specified string for use as text in HTML markup and outputs the string by using the specified text writer.
protected public:
override void HtmlEncode(System::String ^ value, System::IO::TextWriter ^ output);protected internal override void HtmlEncode (string value, System.IO.TextWriter output);override this.HtmlEncode : string * System.IO.TextWriter -> unitProtected Friend Overrides Sub HtmlEncode (value As String, output As TextWriter)Parameters
- value
- String
The string to encode.
- output
- TextWriter
The text writer to use to output the string.
Remarks
This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.
Note
Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page.
The following table lists the default safe characters. All characters are from the Unicode C0 Controls and Basic Latin character range unless noted in the Description column.
| Character(s) | Description |
|---|---|
| A-Z | Uppercase Latin alphabetic characters |
| a-z | Lowercase Latin alphabetic characters |
| 0-9 | Numbers |
| (Space) | Space |
| ! | Exclamation mark |
| # | Number sign, hash |
| $ | Dollar sign |
| % | Percent sign |
| ( ) | Parentheses |
| * | Asterisk |
| + | Plus sign |
| , | Comma |
| - | Hyphen, minus |
| . | Period, dot, full stop |
| / | Slash |
| : | Colon |
| ; | Semicolon |
| = | Equals sign |
| ? | Question mark |
| @ | Commercial at |
| [ ] | Square brackets |
| \ | Backslash |
| ^ | Caret |
| _ | Underscore |
| ` | Grave accent |
| { } | Braces, curly brackets |
| | | Vertical line |
| ~ | Tilde |
| 0x00A1 - 0x00AC | Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal) from the Unicode C1 Controls and Latin-1 Supplement character range. Characters in this range are encoded when useNamedEntities is true. |
| 0x00AE - 0x00FF | Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal) from the Unicode C1 Controls and Latin-1 Supplement character range. Characters in this range are encoded when useNamedEntities is true. |
| 0x0100 - 0x017F | Characters between 0x0100 (256 decimal) and 0x017F (383 decimal). (The Unicode Latin-Extended-A character range.) |
| 0x0180 - 0x024F | Characters between 0x0180 (384 decimal) and 0x024F (591 decimal). (The Unicode Latin-Extended-B character range.) |
| 0x0250 - 0x02AF | Characters between 0x0250 (592 decimal) and 0x02AF (687 decimal). (The Unicode IPA Extensions character range.) |
| 0x02B0 - 0x02FF | Characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal). (The Unicode Spacing Modifier Letters character range.) |
| 0x0300 - 0x036F | Characters between 0x0300 (768 decimal) and 0x036F (879 decimal). (The Unicode Combining Diacritical Marks character range.) |
The following table lists examples of inputs and the corresponding encoded outputs.
alert('XSS Attack!'); |
alert('XSS Attack!'); |
<script>alert('XSS Attack!');</script> |
<script>alert('XSS Attack!');</script> |
alert('XSSあAttack!'); |
alert('XSSあAttack!'); |
user@contoso.com |
user@contoso.com |
"Anti-Cross Site Scripting Namespace" |
"Anti-Cross Site Scripting Namespace" |
To customize the safe list, call the MarkAsSafe method.
