AntiXssEncoder.CssEncode Method (String)
Encodes the specified string for use in cascading style sheets (CSS).
Assembly: System.Web (in System.Web.dll)
Parameters
- input
-
Type:
System.String
The string to encode.
| Exception | Condition |
|---|---|
| T:Microsoft.Security.Application.InvalidUnicodeValueException | input contains a character that has an invalid Unicode value. |
| T:Microsoft.Security.Application.InvalidSurrogatePairException | input contained a high surrogate code point that was not followed by a low surrogate code point. -or- input contained a low surrogate code point that was not preceded by a high surrogate code point. |
This method encodes all characters except those that are in the safe list.
Note |
|---|
Put quotation marks (" ") around the resulting string before you add it to a cascading style sheet. |
The following table lists the default safe characters.
Unicode code chart | Character(s) | Description |
|---|---|---|
A-Z | Uppercase alphabetic characters | |
a-z | Lowercase alphabetic characters | |
0-9 | Numbers |
The following table lists examples of inputs and the corresponding encoded outputs.
alert('XSS Attack!'); | alert\000028\000027XSS\000020Attack\000021\000027\000029\00003B |
user@contoso.com | user\000040contoso\00002Ecom |
Anti-Cross Site Scripting Namespace | Anti\00002DCross\000020Site\000020Scripting\000020Namespace |
The CSS character escape sequence consists of a backslash character (\) followed by up to six hexadecimal digits that represent a character code from the ISO 10646 standard. (The ISO 10646 standard is effectively equivalent to Unicode.) Any character other than a hexadecimal digit terminates the escape sequence. If a character that follows the escape sequence is also a valid hexadecimal digit, it must either include six digits in the escape sequence or use a whitespace character to terminate the escape sequence. For example, \000020 denotes a space.
Available since 4.5
