29

I am creating a some dynamically generated HTML

bldr.AppendLine("<a>");
string userText = user.Company;
bldr.AppendLine(userText);
bldr.AppendLine("</a>");

How can I ensure that whatever the company's name is, will appear as it should, but also if they try to inject any HTML in thier name it will simply appear in plain text.

For instance if they tried to use the name "<script>alert("Do Bad!")</script>" that's exactly what will appear on the page, in plain text.

But I also want to avoid "A & C" translating to "A \u0026 C", which is what happens when I use

HttpUtility.JavaScriptStringEncode(user.Company);
Improve this question

5 Answers 5

Reset to default
28

You can use the same class HttpUtility you have use to javascript, but, for html, for sample:

bldr.AppendFormat("<a>{0}</a>\n", HttpUtility.HtmlEncode(user.Company));

There is also the inverse way using HttpUtility.HtmlDecode(string).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

18

An alternative without a dependency to System.Web:

System.Net.WebUtility.HtmlEncode()
Improve this answer

1 Comment

This encodes characters as HTML entities, e.g. "&" becomes "&amp;"
10 
using System.Web;

var encoded = HttpUtility.HtmlEncode(unencoded);
Improve this answer

Comments

5

You can use the HttpUtility.HtmlEncode method:

var htmlString = HttpUtility.HtmlEncode(user.Company);
Improve this answer

Comments

1

HtmlUtility.HtmlEncode(string s)

Improve this answer

1 Comment

It's a method called HtmlEncode in the HtmlUtility class which takes a string parameter and encodes it into a Html-safe string. That's a 23-word description which doesn't add any information to my answer, which is why I didn't include it in the first place

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.