dotnetframework/System.Text.Encodings.Webv9.0.13
✓ Verified.NET FW4.6.2.NET 10.0.NET 11.0.NET Std2.0
Provides types for encoding and escaping strings for use in JavaScript, HyperText Markup Language (HTML), and uniform resource locators (URL). Commonly Used Types: System.Text.Encodings.Web.HtmlEncoder System.Text.Encodings.Web.UrlEncoder System.Text.Encodings.Web.JavaScriptEncoder
Get Started
$ dotnet add package System.Text.Encodings.WebReadme
About
<!-- A description of the package and where one can find more documentation -->Provides types for encoding and escaping strings for use in JavaScript, HTML, and URLs.
This package is essential for protecting web applications against cross-site scripting (XSS) attacks by safely encoding text, and it offers extensive support for Unicode, allowing fine-grained control over which characters are encoded and which are left unescaped.
Key Features
<!-- The key features of this package -->- Safe encoders for HTML, JavaScript, and URL strings.
- Extensible to support custom encoding scenarios, including the ability to specify Unicode ranges.
- Helps prevent cross-site scripting (XSS) vulnerabilities.
- Flexible Unicode encoding with support for specifying individual or predefined ranges to cover broader sets of characters, including options to avoid escaping specific language character sets.
How to Use
<!-- A compelling example on how to use this package with code, as well as any specific guidelines for when to use the package -->Encoding HTML, JavaScript, and URLs
using System.Text.Encodings.Web;
string unsafeString = "<script>alert('XSS Attack!');</script>";
// HTML encode the string to safely display it on a web page.
string safeHtml = HtmlEncoder.Default.Encode(unsafeString);
Console.WriteLine(safeHtml);
// <script>alert('XSS Attack!');</script>
// JavaScript encode the string to safely include it in a JavaScript context.
string safeJavaScript = JavaScriptEncoder.Default.Encode(unsafeString);
Console.WriteLine(safeJavaScript);
// \u003Cscript\u003Ealert(\u0027XSS Attack!\u0027);\u003C/script\u003E
string urlPart = "user input with spaces and & symbols";
// URL encode the string to safely include it in a URL.
string encodedUrlPart = UrlEncoder.Default.Encode(urlPart);
Console.WriteLine(encodedUrlPart);
// user%20input%20with%20spaces%20and%20%26%20symbols
Custom Encoding Scenario with Specific Unicode Ranges
using System.Text.Encodings.Web;
using System.Text.Unicode;
TextEncoderSettings customEncoderSettings = new TextEncoderSettings();
customEncoderSettings.AllowCharacters('!', '*', '-', '.', '_', '~'); // RFC 3986 unreserved characters
customEncoderSettings.AllowRange(new UnicodeRange('a', 26));
customEncoderSettings.AllowRange(new UnicodeRange('A', 26));
customEncoderSettings.AllowRange(new UnicodeRange('0', 10));
// Create a URL encoder with the custom settings
UrlEncoder customUrlEncoder = UrlEncoder.Create(customEncoderSettings);
string customUrlPart = "custom data: (@123!)";
// By default, the symbols '(', ')', and '@' are not encoded
string defaultEncoded = UrlEncoder.Default.Encode(customUrlPart);
Console.WriteLine(defaultEncoded);
// custom%20data%3A%20(@123!)
// Now, the symbols '(', ')', and '@' are also encoded
string customEncoded = customUrlEncoder.Encode(customUrlPart);
Console.WriteLine(customEncoded);
// custom%20data%3A%20%28%40123!%29