AntiXssEncoder.XmlEncode Method
Encodes the specified string for use in XML attributes.
Assembly: System.Web (in System.Web.dll)
Parameters
- input
- Type: System.String
The string to encode.
| Exception | Condition |
|---|---|
| InvalidUnicodeValueException | input contains a character that has an invalid Unicode value. |
| InvalidSurrogatePairException | input contained a high surrogate code point that was not followed by a low surrogate code point. -or- input contained a low surrogate code point that was not preceded by a high surrogate code point. |
This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.
.gif?cs-save-lang=1&cs-lang=vb "Note") Note |
|---|
Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page. |
The following table lists the default safe characters.
Unicode code chart | Character(s) | Description |
|---|---|---|
A-Z | Uppercase Latin alphabetic characters | |
a-z | Lowercase Latin alphabetic characters | |
0-9 | Numbers | |
(Space) | Space | |
! | Exclamation mark | |
# | Number sign, hash | |
$ | Dollar sign | |
% | Percent sign | |
( ) | Parentheses | |
* | Asterisk | |
+ | Plus sign | |
, | Comma | |
- | Hyphen, minus | |
. | Period | |
/ | Slash | |
: | Colon | |
; | Semicolon | |
= | Equals sign | |
? | Question mark | |
@ | Commercial at | |
[ ] | Square brackets | |
\ | Backslash | |
^ | Caret | |
_ | Underscore | |
` | Grave accent | |
{ } | Braces, curly brackets | |
| | Vertical line | |
~ | Tilde | |
0x00A1 - 0x00AC | Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal). Characters in this range are encoded when useNamedEntities is true. | |
0x00AE - 0x00FF | Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal). Characters in this range are encoded when useNamedEntities is true. | |
0x0100 - 0x017F | Latin extended characters between 0x0100 (256 decimal) and 0x017F (383 decimal). | |
0x0180 - 0x024F | Latin extended characters between 0x0180 (384 decimal) and 0x024F (591 decimal). | |
0x0250 - 0x02AF | IPA Extension characters between 0x0250 (592 decimal) and 0x02AF (687 decimal). | |
0x02B0 - 0x02FF | Spacing modifier letter characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal). | |
0x0300 - 0x036F | Combining diacritical mark characters between 0x0300 (768 decimal) and 0x036F (879 decimal). |
The following table lists examples of inputs and the corresponding encoded outputs.
alert('XSS Attack!'); | alert('XSS Attack!'); |
<script>alert('XSS Attack!');</script> | <script>alert('XSS Attack!');</script> |
alert('XSSあAttack!'); | alert('XSSあAttack!'); |
user@contoso.com | user@contoso.com |
"Anti-Cross Site Scripting Namespace" | "Anti-Cross Site Scripting Namespace" |
To customize the safe list, call the MarkAsSafe method.
Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)
The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.
