{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 来,给爷笑一个 的问题《How to convert string to HTML safe string》','https://www.manongdao.com/q-521308.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am creating a some dynamically generated HTML
bldr.AppendLine("<a>");
string userText = user.Company;
bldr.AppendLine(userText);
bldr.AppendLine("</a>");
How can I ensure that whatever the company's name is, will appear as it should, but also if they try to inject any HTML in thier name it will simply appear in plain text.
For instance if they tried to use the name "<script>alert("Do Bad!")</script>" that's exactly what will appear on the page, in plain text.
But I also want to avoid "A & C" translating to "A \u0026 C", which is what happens when I use
HttpUtility.JavaScriptStringEncode(user.Company);
An alternative without a dependency to System.Web:
You can use the
HttpUtility.HtmlEncodemethod:HtmlUtility.HtmlEncode(string s)You can use the same class
HttpUtilityyou have use to javascript, but, forhtml, for sample:There is also the inverse way using
HttpUtility.HtmlDecode(string).