AntiXssEncoder.HtmlFormUrlEncode Method (String, Encoding)
Encodes the specified string for form submissions whose MIME type is "application/x-www-form-urlencoded" by using the specified character encoding type.
Assembly: System.Web (in System.Web.dll)
Parameters
- input
-
Type:
System.String
The string to encode.
- inputEncoding
-
Type:
System.Text.Encoding
The input encoding type.
This method encodes all characters except those that are in the safe list. Characters are encoded by using %SINGLE_BYTE_HEX notation.
Note |
|---|
Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page. |
The following table lists the default safe characters.
Unicode code chart | Character(s) | Description |
|---|---|---|
A-Z | Uppercase alphabetic characters | |
a-z | Lowercase alphabetic characters | |
0-9 | Numbers | |
- | Hyphen, minus | |
. | Period, dot, full stop | |
_ | Underscore | |
~ | Tilde |
The following table lists examples of inputs and the corresponding encoded outputs.
alert('XSS Attack!'); | alert%28%27XSS+Attack%21%27%29%3b |
<script>alert('XSS Attack!');</script> | %3cscript%3ealert%28%27XSS+Attack%21%27%29%3b%3c%2fscript%3e |
alert('XSSあAttack!'); | alert%28%27XSS%e3%81%82Attack%21%27%29%3b |
user@contoso.com | user%40contoso.com |
Anti-Cross Site Scripting Namespace | Anti-Cross+Site+Scripting+Namespace |
Available since 4.5
