tags:

views:

612

answers:

2
+1  Q: 

C#: Sanitize XML text values with XmlTextWriter?

Hello,

I'm using XmlTextWriter to serialize and persist some of my data. Several of the fields I serialize are based on user input (e.g. Username). Today I use the WriteElementString method of XmlTextWriter.

My question is: the second parameter of WriteElementString is the text value to be written. How can I sanitize it prior to writing?

An example code:

XmlTextWriter writer = new XmlTextWriter("filename.xml", null);

writer.WriteStartElement("User");
writer.WriteElementString("Username", inputUserName);
writer.WriteElementString("Email", inputEmail);
writer.WriteEndElement();

writer.Close();

The variables inputUserName and inputEmail are user-input, and I would like to sanitize/escape them prior to writing.

What's the best way to achieve this?

+2  A: 

What exactly do you need to escape there? WriteElementString will do all escaping needed by XML already (i.e. & -> &amp;, < -> &lt;, etc)

Pavel Minaev  2009-07-24 05:18:17
So WriteElementString is completely safe? (it makes sense when you say it, I just didn't know it was the case)
Roee Adler  2009-07-24 05:19:31
It is "safe" in a sense that it guarantees that output will be valid XML, and that when you read it back, you'll get the same string.
Pavel Minaev  2009-07-24 05:21:14
A: 

You could safe these Values as CDATA that will be safest you can do with xml.

Prior you should check the values via RegEx or any other validation.

BeowulfOF  2009-07-24 05:22:37
Why the downvote? CDATA is safest way to hold you XML valid an contain everyting inside you wish?
BeowulfOF  2009-07-24 07:26:21
CDATA does not matter at all. It's just a way to write text without needing to escape it. The code used by the OP will escape everything properly.
John Saunders  2009-07-24 13:30:55
Written as CDATA it will not be escaped, but working properly.
BeowulfOF  2009-07-24 16:48:43

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?