AntiXssEncoder.CssEncode(String) Method


Encodes the specified string for use in cascading style sheets (CSS).

 static System::String ^ CssEncode(System::String ^ input);
public static string CssEncode (string input);
static member CssEncode : string -> string
Public Shared Function CssEncode (input As String) As String



The string to encode.


The encoded string.


This method encodes all characters except those that are in the safe list.


Put quotation marks (" ") around the resulting string before you add it to a cascading style sheet.

The following table lists the default safe characters. All are from the Unicode C0 Controls and Basic Latin character range.

Character(s) Description
A-Z Uppercase alphabetic characters
a-z Lowercase alphabetic characters
0-9 Numbers

The following table lists examples of inputs and the corresponding encoded outputs.

alert('XSS Attack!'); alert\000028\000027XSS\000020Attack\000021\000027\000029\00003B user\000040contoso\00002Ecom
Anti-Cross Site Scripting Namespace Anti\00002DCross\000020Site\000020Scripting\000020Namespace

The CSS character escape sequence consists of a backslash character (\) followed by up to six hexadecimal digits that represent a character code from the ISO 10646 standard. (The ISO 10646 standard is effectively equivalent to Unicode.) Any character other than a hexadecimal digit terminates the escape sequence. If a character that follows the escape sequence is also a valid hexadecimal digit, it must either include six digits in the escape sequence or use a white-space character to terminate the escape sequence. For example, \000020 denotes a space.

Applies to