ASP.NET Server.HtmlEncode Limitations

Question

I'm using Server.HTMLEncode to encode my HTML.

I notice it dosn't escape single quotes, which is a limitation if your using single quotes in your html e.g. <input type='text' .... />

(I've checked this is valid XHTML).

Are there any other limitations or things to note about Server.HTMLEncode, in particular any characters that are not valid XHTMl that this method dosn't deal with?

Answer 1

MSDN says Server.HTMLEncode only does the following:

• The less-than character (<) is converted to &lt ;.
• The greater-than character (>) is converted to &gt ;.
• The ampersand character (&) is converted to &amp ;.
• The double-quote character (") is converted to &quot ;.
• Any ASCII code character whose code is greater-than or equal to 0x80 is converted to &#< number>, where number is the ASCII character value.

Answer 2

I've tested HTmlENcode against all the character codes listsed here http://www.ascii.cl/htmlcodes.htm

It appears it escapes most characters, and those that it dosn't escape dont break XHTML compliance

Answer 3

HTML Encode should ensure all non-HTML compliant characters in a string are converted to their equivalent entity. As you discovered, single quotes etc. are perfectly valid in (X)HTML and do not require encoding. You could use UrlEncode/UrlDecode if you require this, or roll your own function using Replace.

Answer 4

Hello, I came here searching for the same answer. In my case the solution was to actually... use double quotes in your surrounding HTML ..