Escape C# string to HTML

Question

I have a string with special characters like this:

äöüß&

Now I want to put that in an HTML document and need to escape these characters. Is there an elegant way doing this?

I could do this:

string html;
html = html.Replace("ü", "uu&uml;");
html = html.Replace("ß", "&szlig;");
....

But I don't want to do that for all possible special characters.

score 13 · Accepted Answer · edited Jun 25 '21 at 07:29

13

Let the Framework do the work for you.

You could try HtmlEncode:

string encodedHtml = Server.HtmlEncode(html);

edited Jun 25 '21 at 07:29

Peter Mortensen

answered Jan 02 '12 at 19:21

Justin Niessner

@juergend - Check the documentation I linked to. Has the namespace and the assembly (in case you need to add a reference). – Justin Niessner Jan 02 '12 at 19:26
7

I didn't see that at first. Actually even after using the `System.Web` namespace and referencing the System.Web.dll in my Project, VS2010 still can't find the Server class. But it finds this which works perfectly: `HttpUtility.HtmlEncode` – juergen d Jan 02 '12 at 19:43

score 10 · Answer 2 · answered Jan 02 '12 at 19:26

10

There is also this, intended for XML, but it should work just fine with HTML:

System.Security.SecurityElement.Escape( string s );

answered Jan 02 '12 at 19:26

Mike Nakis

2

See extended notes (corroborating you) @ http://stackoverflow.com/a/1934252/41153 – Michael Paulukonis May 15 '13 at 18:19

score 2 · Answer 3 · edited Jun 25 '21 at 07:30

2

I recommend getting into the habit of using Microsoft's AntiXSS Library, and calling

AntiXSS.HtmlEncode(yourstring);

if you need to include it in the body, or

AntiXSS.HtmlAttributeEncode(yourstring);

if it is going inside an HTML attribute.

edited Jun 25 '21 at 07:30

Peter Mortensen

answered Jan 02 '12 at 19:25

rejj

1

This library is obselete and is replaced by Encoder.HtmlEncode(). – Sagi Jan 22 '20 at 19:57

3 Answers3