Escape text for HTML

C#HtmlEscaping

C# Problem Overview

How do i escape text for html use in C#? I want to do

sample="<span>blah<span>"

and have

<span>blah<span>

show up as plain text instead of blah only with the tags part of the html :(. Using C# not ASP

C# Solutions

Solution 1 - C#

using System.Web;

var encoded = HttpUtility.HtmlEncode(unencoded);

Solution 2 - C#

Also, you can use this if you don't want to use the System.Web assembly:

var encoded = System.Security.SecurityElement.Escape(unencoded)

Per this article, the difference between System.Security.SecurityElement.Escape() and System.Web.HttpUtility.HtmlEncode() is that the former also encodes apostrophe (') characters.

Solution 3 - C#

If you're using .NET 4 or above and you don't want to reference System.Web, you can use WebUtility.HtmlEncode from System

var encoded = WebUtility.HtmlEncode(unencoded);

This has the same effect as HttpUtility.HtmlEncode and should be preferred over System.Security.SecurityElement.Escape.

Solution 4 - C#

In ASP.NET 4.0 there's new syntax to do this. Instead of

<%= HttpUtility.HtmlEncode(unencoded) %>

you can simply do

<%: unencoded %>

Read more here:

New <%: %> Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC 2)

Solution 5 - C#

.NET 4.0 and above:

using System.Web.Security.AntiXss;
//...
var encoded = AntiXssEncoder.HtmlEncode("input", useNamedEntities: true);

Solution 6 - C#

You can use actual html tags <xmp> and </xmp> to output the string as is to show all of the tags in between the xmp tags.

Or you can also use on the server Server.UrlEncode or HttpUtility.HtmlEncode.

Solution 7 - C#

For a simple way to do this in Razor pages, use the following:

In .cshtml:

@Html.Raw(Html.Encode("<span>blah<span>"))

In .cshtml.cs:

string rawHtml = Html.Raw(Html.Encode("<span>blah<span>"));

Solution 8 - C#

You can use:

System.Web.HttpUtility.JavaScriptStringEncode("Hello, this is Satan's Site")

It was the only thing that worked (ASP.NET 4.0+) when dealing with HTML like this. The&apos; gets rendered as ' (using htmldecode) in the HTML content, causing it to fail:

<a href="article.aspx?id=268" onclick="tabs.open('modules/xxx/id/268', 'It&apos;s Allstars'); return false;">It's Allstars</a>

Solution 9 - C#

There are some special quotes characters which are not removed by HtmlEncode and will not be displayed in Edge or Internet Explorer correctly, like and . You can extend replacing these characters with something like the below function.

private string RemoveJunkChars(string input)
{
    return HttpUtility.HtmlEncode(input.Replace("”", "\"").Replace("“", "\""));
}
Categories
Recommended C# Solutions
Recommended Html Solutions
Recommended Escaping Solutions

Previous Solution:

When is CRC more appropriate to use than MD5/SHA1?

HashEmbeddedCrc

Next Solution:

Facebook database design?

SqlFacebookDatabase DesignDatabase NormalizationDatabase Table

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
Questionuser34537View Question on Stackoverflow
Solution 1 - C#Michael S. ScherotterView Answer on Stackoverflow
Solution 2 - C#Tereza TomcovaView Answer on Stackoverflow
Solution 3 - C#AlexView Answer on Stackoverflow
Solution 4 - C#NachtView Answer on Stackoverflow
Solution 5 - C#VictorView Answer on Stackoverflow
Solution 6 - C#Andrew SiemerView Answer on Stackoverflow
Solution 7 - C#fordrofView Answer on Stackoverflow
Solution 8 - C#ContraView Answer on Stackoverflow
Solution 9 - C#ImanView Answer on Stackoverflow