Escape text for HTML

Question

How do i escape text for html use in C#? I want to do

sample="<span>blah<span>"

and have

<span>blah<span>

show up as plain text instead of blah only with the tags part of the html :(. Using C# not ASP

score 191 · Answer 1 · answered Jun 17 '09 at 05:36

191

using System.Web;

var encoded = HttpUtility.HtmlEncode(unencoded);

answered Jun 17 '09 at 05:36

Michael S. Scherotter

10,715
3
34
57

3

If you also want to encode unicode characters to non-unicode, check out this: http://stackoverflow.com/questions/82008/non-unicode-xml-representation – Gyuri Dec 04 '09 at 18:14
5

Something that you don't want to find out the bad way: The above method by itself does not escape control characters. See the accepted answer here: http://stackoverflow.com/a/4501246/1543677 and use both. – pkExec Dec 09 '14 at 11:46
HttpUtility does not exist anymore (win store apps) – Tertium Nov 12 '16 at 10:04

score 91 · Answer 2 · edited Aug 05 '16 at 22:12

91

Also, you can use this if you don't want to use the System.Web assembly:

var encoded = System.Security.SecurityElement.Escape(unencoded)

Per this article, the difference between System.Security.SecurityElement.Escape() and System.Web.HttpUtility.HtmlEncode() is that the former also encodes apostrophe (') characters.

edited Aug 05 '16 at 22:12

Raktim Biswas

4,011
5
27
32

answered Dec 19 '09 at 21:59

Tereza Tomcova

4,928
4
30
29

10

Not to say `SecurityElement.Escape()` escapes for *XML* which is not exactly HTML. – Victor Sergienko Jun 05 '13 at 21:16
System.Security.SecurityElement does not exist in windows store apps – Tertium Nov 12 '16 at 10:05
Note that System.Security.SecurityElement.Escape does not remove or escape character 31, which hit us once from an extract of active directory data – user2728841 Jun 26 '21 at 13:22

score 59 · Answer 3 · answered Sep 16 '13 at 08:22

59

If you're using .NET 4 or above and you don't want to reference System.Web, you can use WebUtility.HtmlEncode from System

var encoded = WebUtility.HtmlEncode(unencoded);

This has the same effect as HttpUtility.HtmlEncode and should be preferred over System.Security.SecurityElement.Escape.

answered Sep 16 '13 at 08:22

Alex

7,728
3
35
62

Why should it be preferred over SecurityElement.Escape? Are there vulnerabilities in the latter, or is the former just more capable? – Travis Dec 18 '13 at 22:43
9

@Travis There are no vulnerabilities in either, it's just that `SecurityElement.Escape` operates on XML and `HtmlEncode` operates on HTML, and XML and HTML encoding have slightly different requirements (see [this answer](http://stackoverflow.com/a/2083770/175157) for details). So, for example, `SecurityElement.Escape` is allowed to use `'`, while `HtmlEncode` is not. – Alex Dec 19 '13 at 09:38
1

@Travis I think the even better "excuse" is that **System.Net is available to Portable Class Libraries** and the other two options aren't/don't seem to be this morning. ;^) – ruffin Dec 28 '16 at 12:43

score 19 · Answer 4 · edited Jun 25 '21 at 07:31

19

In ASP.NET 4.0 there's new syntax to do this. Instead of

<%= HttpUtility.HtmlEncode(unencoded) %>

you can simply do

<%: unencoded %>

Read more here:

New <%: %> Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC 2)

edited Jun 25 '21 at 07:31

Peter Mortensen

30,738
21
105
131

answered Oct 19 '11 at 01:38

Nacht

3,342
4
26
41

2

please give a syntax for Razor? @Nacht – Nov 17 '17 at 07:33

score 6 · Answer 5 · answered Feb 04 '16 at 12:46

6

.NET 4.0 and above:

using System.Web.Security.AntiXss;
//...
var encoded = AntiXssEncoder.HtmlEncode("input", useNamedEntities: true);

answered Feb 04 '16 at 12:46

Victor

3,669
3
37
42

Andrew Siemer · Answer 6 · 2009-06-17T05:39:44.113

5

You can use actual html tags <xmp> and </xmp> to output the string as is to show all of the tags in between the xmp tags.

Or you can also use on the server Server.UrlEncode or HttpUtility.HtmlEncode.

edited Jun 17 '09 at 05:39

answered Jun 17 '09 at 05:34

Andrew Siemer

10,166
3
41
61

I made the question more clear. I dont want the tags to be part of html as the user can do and break it. – Jun 17 '09 at 05:36
1

` – mortb May 11 '17 at 14:19

score 2 · Answer 7 · edited Jun 25 '21 at 07:38

2

For a simple way to do this in Razor pages, use the following:

In .cshtml:

@Html.Raw(Html.Encode("<span>blah<span>"))

In .cshtml.cs:

string rawHtml = Html.Raw(Html.Encode("<span>blah<span>"));

edited Jun 25 '21 at 07:38

Peter Mortensen

30,738
21
105
131

answered Jan 23 '20 at 03:59

fordrof

107
6

score 1 · Answer 8 · edited Jun 25 '21 at 07:33

1

You can use:

System.Web.HttpUtility.JavaScriptStringEncode("Hello, this is Satan's Site")

It was the only thing that worked (ASP.NET 4.0+) when dealing with HTML like this. The' gets rendered as ' (using htmldecode) in the HTML content, causing it to fail:

<a href="article.aspx?id=268" onclick="tabs.open('modules/xxx/id/268', 'It&apos;s Allstars'); return false;">It's Allstars</a>

edited Jun 25 '21 at 07:33

Peter Mortensen

30,738
21
105
131

answered Jun 24 '14 at 09:08

Contra

2,754
4
20
18

Re *"htmlencode"*: Do you mean *"HtmlEncode"*? – Peter Mortensen Jun 25 '21 at 07:34

score 1 · Answer 9 · edited Jun 25 '21 at 07:36

1

There are some special quotes characters which are not removed by HtmlEncode and will not be displayed in Edge or Internet Explorer correctly, like ” and “. You can extend replacing these characters with something like the below function.

private string RemoveJunkChars(string input)
{
    return HttpUtility.HtmlEncode(input.Replace("”", "\"").Replace("“", "\""));
}

edited Jun 25 '21 at 07:36

Peter Mortensen

30,738
21
105
131

answered Apr 27 '16 at 07:33

Iman

17,932
6
80
90

You are probably serving content using the wrong encoding. IE and Edge have no problems displaying such characters. – Bouke Feb 18 '20 at 09:57

Escape text for HTML

9 Answers9

Linked

Related