AntiXssEncoder.XmlEncode Method (String)
Encodes the specified string for use in XML attributes.
Assembly: System.Web (in System.Web.dll)
Parameters
- input
-
Type:
System.String
The string to encode.
| Exception | Condition |
|---|---|
| T:Microsoft.Security.Application.InvalidUnicodeValueException | input contains a character that has an invalid Unicode value. |
| T:Microsoft.Security.Application.InvalidSurrogatePairException | input contained a high surrogate code point that was not followed by a low surrogate code point. -or- input contained a low surrogate code point that was not preceded by a high surrogate code point. |
This method encodes all characters except those that are in the safe list. Characters are encoded by using &#DECIMAL; notation.
Note |
|---|
Put double quotation marks (" ") or single quotation marks (' ') around the resulting string before you add it to a page. |
The following table lists the default safe characters.
Unicode code chart | Character(s) | Description |
|---|---|---|
A-Z | Uppercase Latin alphabetic characters | |
a-z | Lowercase Latin alphabetic characters | |
0-9 | Numbers | |
(Space) | Space | |
! | Exclamation mark | |
# | Number sign, hash | |
$ | Dollar sign | |
% | Percent sign | |
( ) | Parentheses | |
* | Asterisk | |
+ | Plus sign | |
, | Comma | |
- | Hyphen, minus | |
. | Period | |
/ | Slash | |
: | Colon | |
; | Semicolon | |
= | Equals sign | |
? | Question mark | |
@ | Commercial at | |
[ ] | Square brackets | |
\ | Backslash | |
^ | Caret | |
_ | Underscore | |
` | Grave accent | |
{ } | Braces, curly brackets | |
| | Vertical line | |
~ | Tilde | |
0x00A1 - 0x00AC | Special characters between 0x00A1 (161 decimal) and 0x00AC (172 decimal). Characters in this range are encoded when useNamedEntities is true. | |
0x00AE - 0x00FF | Special characters between 0x00AE (174 decimal) and 0x00FF (255 decimal). Characters in this range are encoded when useNamedEntities is true. | |
0x0100 - 0x017F | Latin extended characters between 0x0100 (256 decimal) and 0x017F (383 decimal). | |
0x0180 - 0x024F | Latin extended characters between 0x0180 (384 decimal) and 0x024F (591 decimal). | |
0x0250 - 0x02AF | IPA Extension characters between 0x0250 (592 decimal) and 0x02AF (687 decimal). | |
0x02B0 - 0x02FF | Spacing modifier letter characters between 0x02B0 (688 decimal) and 0x02FF (767 decimal). | |
0x0300 - 0x036F | Combining diacritical mark characters between 0x0300 (768 decimal) and 0x036F (879 decimal). |
The following table lists examples of inputs and the corresponding encoded outputs.
alert('XSS Attack!'); | alert('XSS Attack!'); |
<script>alert('XSS Attack!');</script> | <script>alert('XSS Attack!');</script> |
alert('XSSあAttack!'); | alert('XSSあAttack!'); |
user@contoso.com | user@contoso.com |
"Anti-Cross Site Scripting Namespace" | "Anti-Cross Site Scripting Namespace" |
To customize the safe list, call the MarkAsSafe method.
Available since 4.5
