ASP.NET Encode HTML String

Dot Net Perls
Hypertext markup language (HTML)

You need to convert plain text to an HTML-encoded version. You can take text from XML or the user online and print it out in an HTML file. If you don't do this, you may have security problems and bugs. Here we look at one simple and easy way you can encode HTML in ASP.NET and the C# programming language.

Not HTML encoded: You & me > them

Is HTML encoded: You & me > them

Example

First, there are really good methods built into the .NET Framework for us. You are likely using ASP.NET, but even if not you can use these methods. You could develop your own, but that has some pitfalls. Here we look at some example C# code.

ASPX code-behind file that encodes HTML [C#]

using System;
using System.IO;
using System.Web;
using System.Web.UI;

public partial class _Default : Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
	// This could mess up HTML.
	string text = "you & me > them"; // 1

	// Replace > with >
	string htmlEncoded = Server.HtmlEncode(text); // 2

	// Now has the > again.
	string original = Server.HtmlDecode(htmlEncoded); // 3

	// This is how you can access the Server in any class.
	string alsoEncoded = HttpContext.Current.Server.HtmlEncode(text); // 4

	StringWriter stringWriter = new StringWriter();
	using (HtmlTextWriter writer = new HtmlTextWriter(stringWriter))
	{
	    // Write a DIV with encoded text.
	    writer.RenderBeginTag(HtmlTextWriterTag.Div);
	    writer.WriteEncodedText(text);
	    writer.RenderEndTag();
	}
	string html = stringWriter.ToString(); // 5
    }
}

Notes

Step 1: Before encoding has occurred.
String: you & me > them

Step 2: The string is encoded for HTML.
String: you & me > them

Step 3: String is converted back from HTML.
String: you & me > them

Step 4: The string is encoded for HTML again.
String: you & me > them

Step 5: The HTML string is written into a DIV.
Text:   <div>you &amp; me &gt; them</div>

Description. In the above code example, you will see three different methods. The first two just return an encoded or decoded string, and the HtmlTextWriter uses an interesting method called WriteEncodedText. This has the interesting potential of being more efficient, as it could avoid a string copy. I tested these methods with breakpoints.

HtmlTextWriter Use

Performance

Performance optimization

In my brief benchmarks, I found Server.HtmlEncode and Server.HtmlDecode to be much faster than my home-grown version that used StringBuilder. So unless you want to put lots of effort into a better implementation, it is best to use these framework methods.

HtmlEncode

The WebUtility class is actually a better way to encode HTML and URLs in programs written in the C# language. You will want to call WebUtility.HtmlDecode and WebUtility.HtmlEncode on your strings. This site has a detailed example of these methods. It is also possible to use the HttpUtility class.

HtmlEncode and HtmlDecode HttpUtility.HtmlEncode Methods

Summary

The C# programming language

We saw ways you can encode HTML strings in your C# programs using the HtmlEncode method. Always encode and decode your strings for displaying in a web page in HTML. Security nightmares and injection attacks are possible otherwise. Use the ASP.NET methods shown here for a fast and reliable approach.

HTML Articles