ASP.NET 4 "Quick Hit" – The HtmlEncoder Utility Method

Comment Posted by Corgalore

Thu, 12 Nov 2009 17:32:55 GMT

Joe, this is not a .NET 4.0 feature as I have been using that class method for quite a while already, probably since .NET 2.0

Comment Posted by Mattw67

Fri, 13 Nov 2009 13:34:49 GMT

I agree with Corgalore.

Comment Posted by muratyasar

Mon, 16 Nov 2009 21:25:35 GMT

Good videos as always Joe. Thanks for your effort and I agree with Corgalore.

Comment Posted by Goudinov

Wed, 18 Nov 2009 23:01:01 GMT

I've been using this since ASP Classic!

Server.HtmlEncode(s)

Maybe the difference is that now it's managed? Dunno.

Comment Posted by atomiton

Thu, 31 Dec 2009 19:32:39 GMT

This mechanism exists in Asp.Net 2.0. It's not a new mechanism, unless something has been changed/improved in 4.0 version.

Comment Posted by JoeStagner

Thu, 14 Jan 2010 19:10:13 GMT

No guys.

The was a encoding method in the Server Object (Server.HTMLEncode) but now there is an easily accessable HttpUtility Object with an HtmlEncode.

Always easily available in an object that can be easily enherited or extended.

Comment Posted by zubairdotnet

Fri, 29 Jan 2010 11:24:18 GMT

That class existed in .NET for a while, infact I built an extension method to allow it to be easy accessible so you can do eg TrustedInput = UntrustedInput.HtmlEncode(); & TrustedInput = UntrustedInput.HtmlDecode();

Check out this method in my Extension methods library bit.ly/

Comment Posted by ndarwish

Sun, 31 Jan 2010 13:30:09 GMT

HttpUtility.HtmlEncode is there since .NET 1 !!

For reference, you can check MSDN:

msdn.microsoft.com/

www.msdn.microsoft.com/en-us/library/system.web.httputility.htmlencode(VS.71).aspx

Comment Posted by SvDeursen

Sun, 31 Jan 2010 19:58:59 GMT

The video is misleading. HttpUtility.HtmlEncode is not new (however, there is a new HtmlEncode(object) overload). What's new here is that all encoding and decoding mechanisms in ASP.NET are based on the new HttpEncoder mechanism (msdn.microsoft.com/ It's possible to override the default encoding/decoding mechanism with a custom (safer) mechanism using the section. This can be useful, because the default encoding mechanism uses black list encoding, while white list encoding is much safer. It’s now possible to plug the Microsoft AntiXSS library in. I hope the ACE team soon comes with an update of their AntiXSS library that contains a HttpEncoder class.

Comment Posted by ventaur

Tue, 02 Feb 2010 15:00:56 GMT

That's correct; this is not new to ASP.NET 4.0. What IS new to ASP.NET 4.0 is a new output tag for markup files. Instead of using <%= SomeVar %>, you can use the new syntax <%: SomeVar %> to automatically HTML-encode the value before it is output.

Comment Posted by pcbabu

Sun, 14 Feb 2010 12:47:07 GMT

this is not a asp.net 4.0 new feature...

Comment Posted by xiangxiangu

Tue, 25 May 2010 02:41:32 GMT

Nice Video

Comment Posted by JochenEd

Wed, 09 Jun 2010 16:47:25 GMT

Regardless of how long that static method has been around, this is still cumbersome. The new markup mentioned above should have its equivalent in the web forms controls, i.e. an additional boolean property for auto-encoding and auto-decoding behaviour, so that the HTML-end gets encoded while in the code you'd just be working with with the original string. This should then be applied to all other properties that end up being rendered in HTML. In case of the Label control I can't believe this hasn't been suggested and implemented long ago.

Comment Posted by tarikelmallah

Tue, 15 Mar 2011 06:06:30 GMT

it was in ASP.net 2, not new !!!