I am creating a some dynamically generated HTML
bldr.AppendLine("<a>");
string userText = user.Company;
bldr.AppendLine(userText);
bldr.AppendLine("</a>");
How can I ensure that whatever the company's name is, will appear as it should, but also if they try to inject any HTML in thier name it will simply appear in plain text.
For instance if they tried to use the name "<script>alert("Do Bad!")</script>" that's exactly what will appear on the page, in plain text.
But I also want to avoid "A & C" translating to "A \u0026 C", which is what happens when I use
HttpUtility.JavaScriptStringEncode(user.Company);
You can use the same class HttpUtility you have use to javascript, but, for html, for sample:
bldr.AppendFormat("<a>{0}</a>\n", HttpUtility.HtmlEncode(user.Company));
There is also the inverse way using HttpUtility.HtmlDecode(string).
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments