AntiXssEncoder.HtmlAttributeEncode(String, TextWriter) Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Encodes and outputs the specified string for use in an HTML attribute.
protected public:
override void HtmlAttributeEncode(System::String ^ value, System::IO::TextWriter ^ output);protected internal override void HtmlAttributeEncode (string value, System.IO.TextWriter output);override this.HtmlAttributeEncode : string * System.IO.TextWriter -> unitProtected Friend Overrides Sub HtmlAttributeEncode (value As String, output As TextWriter)Parameters
- value
- String
The string to encode.
- output
- TextWriter
The text writer to use to output the string.
Remarks
This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.
Note
Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page.
The following table lists the default safe characters. All are from the Unicode C0 Controls and Basic Latin character range unless noted in the Description column.
| Character(s) | Description |
|---|---|
| A-Z | Uppercase Latin alphabetic characters |
| a-z | Lowercase Latin alphabetic characters |
| 0-9 | Numbers |
| ! | Exclamation mark |
| # | Number sign, hash |
| $ | Dollar sign |
| % | Percent sign |
| ( ) | Parentheses |
| * | Asterisk |
| + | Plus sign |
| , | Comma |
| - | Hyphen, minus |
| . | Period, dot, full stop |
| / | Slash |
| : | Colon |
| ; | Semicolon |
| = | Equals sign |
| ? | Question mark |
| @ | Commercial at-sign |
| [ ] | Square brackets |
| \ | Backslash |
| ^ | Caret |
| _ | Underscore |
| ` | Grave accent |
| { } | Braces, curly brackets |
| | | Vertical line |
| ~ | Tilde |
| 0x00A1 - 0x00AC | Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal) from the Unicode C1 Controls and Latin-1 Supplement character range. |
| 0x00AE - 0x00FF | Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal) from the Unicode C1 Controls and Latin-1 Supplement character range. |
| 0x0100 - 0x017F | Characters between 0x0100 (256 decimal) and 0x017F (383 decimal). (The Unicode Latin-Extended-A character range.) |
| 0x0180 - 0x024F | Characters between 0x0180 (384 decimal) and 0x024F (591 decimal). (The Unicode Latin-Extended-B character range.) |
| 0x0250 - 0x02AF | Characters between 0x0250 (592 decimal) and 0x02AF (687 decimal). (The Unicode IPA Extensions character range.) |
| 0x02B0 - 0x02FF | Characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal). (The Unicode Spacing Modifier Letters character range.) |
| 0x0300 - 0x036F | Characters between 0x0300 (768 decimal) and 0x036F (879 decimal). (The Unicode Combining Diacritical Marks character range.) |
The following table lists examples of inputs and the corresponding encoded outputs.
| Input examples | Encoded outputs |
|---|---|
alert('XSS Attack!'); |
alert('XSS Attack!'); |
<script>alert('XSS Attack!');</script> |
<script>alert('XSS Attack!');</script> |
alert('XSSあAttack!'); |
alert('XSSあAttack!'); |
user@contoso.com |
user@contoso.com |
"Anti-Cross Site Scripting Namespace" |
"Anti-Cross Site Scripting Namespace" |
To customize the safe list, call the MarkAsSafe method.
