Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
HttpEncoder Class

HttpEncoder Class

.NET Framework 4.6 and 4.5

Provides encoding and decoding logic.

Namespace:  System.Web.Util
Assembly:  System.Web (in System.Web.dll)

public class HttpEncoder

The HttpEncoder type exposes the following members.

Public methodHttpEncoderInitializes a new instance of the HttpEncoder class.

Public propertyStatic memberCurrentGets or set the HttpEncoder type that will be used in an application.
Public propertyStatic memberDefaultGets a reference to the default encoder for ASP.NET.

Public methodEquals(Object)Determines whether the specified object is equal to the current object. (Inherited from Object.)
Protected methodFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodGetHashCodeServes as the default hash function. (Inherited from Object.)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Protected methodHeaderNameValueEncodeEncodes a header name and value into a string that can be used as an HTTP header.
Protected methodHtmlAttributeEncodeEncodes an incoming value into a string that can be inserted into an HTML attribute that is delimited by using single or double quotation marks.
Protected methodHtmlDecodeDecodes a value from an HTML-encoded string.
Protected methodHtmlEncodeEncodes a string into an HTML-encoded string.
Protected methodJavaScriptStringEncodeEncodes a string.
Protected methodMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)
Protected methodUrlEncodeEncodes an array of characters that are not allowed in a URL into a hexadecimal character-entity equivalent.
Protected methodUrlPathEncodeEncodes a subsection of a URL.

The class contains encoding and decoding logic that is used by methods in classes such as HttpUtility, HttpServerUtility, and HttpResponseHeader.

You can inherit from the HttpEncoder class and override its behavior to customize the default encoding and decoding behavior of ASP.NET. You then set the EncoderType property of the HttpRuntimeSection class to configure your custom class.

A custom class for encoding and decoding that derives from HttpEncoder can override the built-in ASP.NET encoding and decoding behavior or change only selected aspects of it.

You can configure the custom encoding type for in ASP.NET to replace or supplement the following encoding behavior:

  • HTML encoding

  • HTML attribute encoding

  • URL encoding

  • URL path encoding

  • HTTP header name and header value encoding

By default, ASP.NET applications are configured to use the AntiXssEncoder type for all output encoding.

The following example from an application-level Web.config file shows how the AntiXssEncoder type is set for an ASP.NET application:

<httpRuntime requestValidationMode="4.5" encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>

The configuration setting in the example sets the AntiXssEncoder class to perform all output encoding in the application. For more information, see the AntiXssEncoder class overview.

Notes to Inheritors

When you create a custom encoder class and override the base methods of the base class, the derived encoder might throw an exception from any of the overridden methods. However, in the following cases throwing such an exception could lead to unexpected behavior in ASP.NET:

  • If ASP.NET is rendering an error page that is caused by an unhandled exception that was thrown from a custom encoder, ASP.NET does not attempt to encode its error output by calling into the custom encoder. This avoids recursive error conditions.

  • When ASP.NET is sending HTTP headers to IIS, ASP.NET has no provision for unhandled exceptions. Therefore, the standard ASP.NET error page will be rendered (if configuration settings allows this page to be displayed).

.NET Framework

Supported in: 4.6, 4.5, 4

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
© 2015 Microsoft