Export (0) Print
Expand All

AntiXssEncoder::HtmlEncode Method (String, Boolean)

.NET Framework 4.5

Encodes the specified string for use as text in HTML markup and optionally specifies whether to use HTML 4.0 named entities.

Namespace:  System.Web.Security.AntiXss
Assembly:  System.Web (in System.Web.dll)

public:
static String^ HtmlEncode(
	String^ input, 
	bool useNamedEntities
)

Parameters

input
Type: System::String

The string to encode.

useNamedEntities
Type: System::Boolean

true to use HTML 4.0 named entities for certain character encodings; false to encode by using only &#DECIMAL; notation.

Return Value

Type: System::String
The encoded string.

ExceptionCondition
InvalidUnicodeValueException

input contains a character that has an invalid Unicode value.

InvalidSurrogatePairException

input contained a high surrogate code point that was not followed by a low surrogate code point.

-or-

input contained a low surrogate code point that was not preceded by a high surrogate code point.

This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.

NoteNote

Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page.

The following table lists the default safe characters.

Unicode code chart

Character(s)

Description

C0 Controls and Basic Latin

A-Z

Uppercase Latin alphabetic characters

C0 Controls and Basic Latin

a-z

Lowercase Latin alphabetic characters

C0 Controls and Basic Latin

0-9

Numbers

C0 Controls and Basic Latin

(Space)

Space

C0 Controls and Basic Latin

!

Exclamation mark

C0 Controls and Basic Latin

#

Number sign, hash

C0 Controls and Basic Latin

$

Dollar sign

C0 Controls and Basic Latin

%

Percent sign

C0 Controls and Basic Latin

( )

Parentheses

C0 Controls and Basic Latin

*

Asterisk

C0 Controls and Basic Latin

+

Plus sign

C0 Controls and Basic Latin

,

Comma

C0 Controls and Basic Latin

-

Hyphen, minus

C0 Controls and Basic Latin

.

Period, dot, full stop

C0 Controls and Basic Latin

/

Slash

C0 Controls and Basic Latin

:

Colon

C0 Controls and Basic Latin

;

Semicolon

C0 Controls and Basic Latin

=

Equals sign

C0 Controls and Basic Latin

?

Question mark

C0 Controls and Basic Latin

@

Commercial at

C0 Controls and Basic Latin

[ ]

Square brackets

C0 Controls and Basic Latin

\

Backslash

C0 Controls and Basic Latin

^

Caret

C0 Controls and Basic Latin

_

Underscore

C0 Controls and Basic Latin

`

Grave accent

C0 Controls and Basic Latin

{ }

Braces, curly brackets

C0 Controls and Basic Latin

|

Vertical line

C0 Controls and Basic Latin

~

Tilde

C1 Controls and Latin-1 Supplement

0x00A1 - 0x00AC

Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal). Characters in this range are encoded when useNamedEntities is true.

C1 Controls and Latin-1 Supplement

0x00AE - 0x00FF

Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal). Characters in this range are encoded when useNamedEntities is true.

Latin Extended-A

0x0100 - 0x017F

Latin extended characters between 0x0100 (256 decimal) and 0x017F (383 decimal).

Latin Extended-B

0x0180 - 0x024F

Latin extended characters between 0x0180 (384 decimal) and 0x024F (591 decimal).

IPA Extensions

0x0250 - 0x02AF

IPA Extension characters between 0x0250 (592 decimal) and 0x02AF (687 decimal).

Spacing Modifier Letters

0x02B0 - 0x02FF

Spacing modifier letter characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal).

Combining Diacritical Marks

0x0300 - 0x036F

Combining diacritical mark characters between 0x0300 (768 decimal) and 0x036F (879 decimal).

The following table lists examples of inputs and the corresponding encoded outputs.

alert('XSS Attack!');

alert('XSS Attack!');

<script>alert('XSS Attack!');</script>

&lt;script&gt;alert(&#39;XSS Attack!&#39;);&lt;/script&gt;

alert('XSSあAttack!');

alert(&#39;XSS&#12354;Attack!&#39;);

user@contoso.com

user@contoso.com

"Anti-Cross Site Scripting Namespace"

&quot;Anti-Cross&#32;Site&#32;Scripting&#32;Namespace&quot;

To customize the safe list, call the MarkAsSafe method.

.NET Framework

Supported in: 4.5.2, 4.5.1, 4.5

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Show:
© 2014 Microsoft