AntiXssEncoder.CssEncode Method (String)

.NET Framework (current version)
 

Encodes the specified string for use in cascading style sheets (CSS).

Namespace:   System.Web.Security.AntiXss
Assembly:  System.Web (in System.Web.dll)

Public Shared Function CssEncode (
	input As String
) As String

Parameters

input
Type: System.String

The string to encode.

Return Value

Type: System.String

The encoded string.

Exception Condition
T:Microsoft.Security.Application.InvalidUnicodeValueException

input contains a character that has an invalid Unicode value.

T:Microsoft.Security.Application.InvalidSurrogatePairException

input contained a high surrogate code point that was not followed by a low surrogate code point.

-or-

input contained a low surrogate code point that was not preceded by a high surrogate code point.

This method encodes all characters except those that are in the safe list.

System_CAPS_noteNote

Put quotation marks (" ") around the resulting string before you add it to a cascading style sheet.

The following table lists the default safe characters.

Unicode code chart

Character(s)

Description

C0 Controls and Basic Latin

A-Z

Uppercase alphabetic characters

C0 Controls and Basic Latin

a-z

Lowercase alphabetic characters

C0 Controls and Basic Latin

0-9

Numbers

The following table lists examples of inputs and the corresponding encoded outputs.

alert('XSS Attack!');

alert\000028\000027XSS\000020Attack\000021\000027\000029\00003B

user@contoso.com

user\000040contoso\00002Ecom

Anti-Cross Site Scripting Namespace

Anti\00002DCross\000020Site\000020Scripting\000020Namespace

The CSS character escape sequence consists of a backslash character (\) followed by up to six hexadecimal digits that represent a character code from the ISO 10646 standard. (The ISO 10646 standard is effectively equivalent to Unicode.) Any character other than a hexadecimal digit terminates the escape sequence. If a character that follows the escape sequence is also a valid hexadecimal digit, it must either include six digits in the escape sequence or use a whitespace character to terminate the escape sequence. For example, \000020 denotes a space.

.NET Framework
Available since 4.5
Return to top
Show: