Limitations of ASP.NET Server.HtmlEncode

Question

Limitations of ASP.NET Server.HtmlEncode

I am using Server.HTMLEncode to encode my HTML.

I notice that it does not avoid single quotes, which is a limitation if you use single quotes in your html, for example. <input type='text' .... />

(I checked that this is valid XHTML).

Are there any other restrictions or things that should be considered in Server.HTMLEncode, in particular, any characters that are not valid XHTMl that this method is not related to?

+4

asp.net

Ajm Aug 3 '09 at 9:35

source share

5 answers

reticent · Answer 1 · 2009-08-03T10:01:31+0000

MSDN says that Server.HTMLEncode does only the following:

Less than a character (<) is converted to & lt ;.
A larger character (>) is converted to & gt ;.
The ampersand character (&) is converted to &.
The double quote character (") is converted to".
Any ASCII code character whose code is greater than or equal to 0x80 is converted to & # <number>, where number is the value of the ASCII character.

Ajm · Answer 2 · 2009-08-03T10:36:46+0000

I tested HTmlENcode against all character codes listed here http://www.ascii.cl/htmlcodes.htm

It seems to elude most characters, and those that it doesn't hide do not violate XHTML compliance

Dan diplo · Answer 3 · 2009-08-03T13:53:47+0000

HTML Encode must ensure that all non-HTML compatible characters in a string are converted to their equivalent entity. As you found out, single quotes, etc. They work great in (X) HTML and don't require coding. You can use UrlEncode / UrlDecode if you need it, or collapse your own function using Replace.

Vlagged · Answer 4 · 2009-10-14T15:23:01+0000

I came here looking for the same answer. In my case, the solution was actually ... use double quotes in the surrounding HTML ..

Matt roy · Answer 5 · 2015-06-22T14:03:59+0000

To enable single-quote encoding, I use (in VB.Net):

 Server.HTMLEncode("Here a string with a single quote").Replace("'", "&#39;")

Limitations of ASP.NET Server.HtmlEncode

More articles: