Export (0) Print
Expand All

AntiXssEncoder.HtmlAttributeEncode Method

.NET Framework 4.6 and 4.5

Encodes and outputs the specified string for use in an HTML attribute.

Namespace:  System.Web.Security.AntiXss
Assembly:  System.Web (in System.Web.dll)

protected internal override void HtmlAttributeEncode(
	string value,
	TextWriter output
)

Parameters

value
Type: System.String

The string to encode.

output
Type: System.IO.TextWriter

The text writer to use to output the string.

ExceptionCondition
InvalidUnicodeValueException

input contains a character that has an invalid Unicode value.

InvalidSurrogatePairException

input contained a high surrogate code point that was not followed by a low surrogate code point.

-or-

input contained a low surrogate code point that was not preceded by a high surrogate code point.

This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.

NoteNote

Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page.

The following table lists the default safe characters.

Unicode code chart

Character(s)

Description

C0 Controls and Basic Latin

A-Z

Uppercase Latin alphabetic characters

C0 Controls and Basic Latin

a-z

Lowercase Latin alphabetic characters

C0 Controls and Basic Latin

0-9

Numbers

C0 Controls and Basic Latin

!

Exclamation mark

C0 Controls and Basic Latin

#

Number sign, hash

C0 Controls and Basic Latin

$

Dollar sign

C0 Controls and Basic Latin

%

Percent sign

C0 Controls and Basic Latin

( )

Parentheses

C0 Controls and Basic Latin

*

Asterisk

C0 Controls and Basic Latin

+

Plus sign

C0 Controls and Basic Latin

,

Comma

C0 Controls and Basic Latin

-

Hyphen, minus

C0 Controls and Basic Latin

.

Period, dot, full stop

C0 Controls and Basic Latin

/

Slash

C0 Controls and Basic Latin

:

Colon

C0 Controls and Basic Latin

;

Semicolon

C0 Controls and Basic Latin

=

Equals sign

C0 Controls and Basic Latin

?

Question mark

C0 Controls and Basic Latin

@

Commercial at-sign

C0 Controls and Basic Latin

[ ]

Square brackets

C0 Controls and Basic Latin

\

Backslash

C0 Controls and Basic Latin

^

Caret

C0 Controls and Basic Latin

_

Underscore

C0 Controls and Basic Latin

`

Grave accent

C0 Controls and Basic Latin

{ }

Braces, curly brackets

C0 Controls and Basic Latin

|

Vertical line

C0 Controls and Basic Latin

~

Tilde

C1 Controls and Latin-1 Supplement

0x00A1 - 0x00AC

Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal).

C1 Controls and Latin-1 Supplement

0x00AE - 0x00FF

Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal).

Latin-Extended-A

0x0100 - 0x017F

Latin extended characters between 0x0100 (256 decimal) and 0x017F (383 decimal).

Latin-Extended-B

0x0180 - 0x024F

Latin extended characters between 0x0180 (384 decimal) and 0x024F (591 decimal).

IPA Extensions

0x0250 - 0x02AF

IPA Extension characters between 0x0250 (592 decimal) and 0x02AF (687 decimal).

Spacing Modifier Letters

0x02B0 - 0x02FF

Spacing modifier letter characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal).

Combining Diacritical Marks

0x0300 - 0x036F

Combining diacritical mark characters between 0x0300 (768 decimal) and 0x036F (879 decimal).

The following table lists examples of inputs and the corresponding encoded outputs.

alert('XSS Attack!');

alert('XSS Attack!');

<script>alert('XSS Attack!');</script>

&lt;script&gt;alert(&#39;XSS Attack!&#39;);&lt;/script&gt;

alert('XSSあAttack!');

alert(&#39;XSS&#12354;Attack!&#39;);

user@contoso.com

user@contoso.com

"Anti-Cross Site Scripting Namespace"

&quot;Anti-Cross&#32;Site&#32;Scripting&#32;Namespace&quot;

To customize the safe list, call the MarkAsSafe method.

.NET Framework

Supported in: 4.6, 4.5
Show:
© 2015 Microsoft