AntiXssEncoder Class

.NET Framework 4.5

Encodes a string for use in HTML, XML, CSS, and URL strings.

System.Object
  System.Web.Util.HttpEncoder
    System.Web.Security.AntiXss.AntiXssEncoder

Namespace:  System.Web.Security.AntiXss
Assembly:  System.Web (in System.Web.dll)

type AntiXssEncoder =  
    class 
        inherit HttpEncoder 
    end

The AntiXssEncoder type exposes the following members.

  NameDescription
Public methodAntiXssEncoderInitializes a new instance of the AntiXssEncoder class.
Top

  NameDescription
Public methodStatic memberCssEncodeEncodes the specified string for use in cascading style sheets (CSS).
Public methodEquals(Object)Determines whether the specified object is equal to the current object. (Inherited from Object.)
Protected methodFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodGetHashCodeServes as the default hash function. (Inherited from Object.)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Protected methodHeaderNameValueEncodeEncodes a header name and value into a string that can be used as an HTTP header. (Inherited from HttpEncoder.)
Protected methodHtmlAttributeEncodeEncodes and outputs the specified string for use in an HTML attribute. (Overrides HttpEncoder.HtmlAttributeEncode(String, TextWriter).)
Protected methodHtmlDecodeDecodes a value from an HTML-encoded string. (Inherited from HttpEncoder.)
Public methodStatic memberHtmlEncode(String, Boolean)Encodes the specified string for use as text in HTML markup and optionally specifies whether to use HTML 4.0 named entities.
Protected methodHtmlEncode(String, TextWriter)Encodes the specified string for use as text in HTML markup and outputs the string by using the specified text writer. (Overrides HttpEncoder.HtmlEncode(String, TextWriter).)
Public methodStatic memberHtmlFormUrlEncode(String)Encodes the specified string for use in form submissions whose MIME type is "application/x-www-form-urlencoded".
Public methodStatic memberHtmlFormUrlEncode(String, Int32)Encodes the specified string for use in form submissions whose MIME type is "application/x-www-form-urlencoded" by using the specified code page.
Public methodStatic memberHtmlFormUrlEncode(String, Encoding)Encodes the specified string for form submissions whose MIME type is "application/x-www-form-urlencoded" by using the specified character encoding type.
Protected methodJavaScriptStringEncodeEncodes a string. (Inherited from HttpEncoder.)
Public methodStatic memberMarkAsSafeMarks characters from the specified Unicode code charts as safe.
Protected methodMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)
Public methodStatic memberUrlEncode(String)Encodes the specified string for use in a URL.
Public methodStatic memberUrlEncode(String, Int32)Encodes the specified string for use in a URL by using the specified code page.
Public methodStatic memberUrlEncode(String, Encoding)Encodes the specified string for use in a URL by using the specified character encoding type.
Protected methodUrlEncode(Byte[], Int32, Int32)Encodes the specified byte array for use in a URL, starting at the specified offset in the byte array and encoding the specified number of bytes. (Overrides HttpEncoder.UrlEncode(Byte[], Int32, Int32).)
Protected methodUrlPathEncodeEncodes path strings for use in a URL. (Overrides HttpEncoder.UrlPathEncode(String).)
Public methodStatic memberXmlAttributeEncodeEncodes the specified string for use in XML attributes.
Public methodStatic memberXmlEncodeEncodes the specified string for use in XML attributes.
Top

You can use the AntiXssEncoder class to override the HttpEncoder class that is used by default to encode and decode strings in methods of classes such as HttpUtility, HttpServerUtility, and HttpResponseHeader.

In the AntiXssEncoder class, all characters that are not found in the safe list are encoded by the HtmlAttributeEncode and HtmlEncode methods.

To replace the HttpEncoder class with the AntiXssEncoder class, register it using the encoderType attribute of the httpRuntime element in the Web.config file, as shown in following example:

<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" />

A list of default safe characters for different encoding methods can be found in the remarks for the HtmlAttributeEncode, HtmlEncode, XmlAttributeEncode, and XmlEncode methods. The default safe list can be modified by using the MarkAsSafe method.

.NET Framework

Supported in: 4.5.2, 4.5.1, 4.5

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft