AntiXssEncoder.CssEncode(String) Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Encodes the specified string for use in cascading style sheets (CSS).
public:
static System::String ^ CssEncode(System::String ^ input);
public static string CssEncode (string input);
static member CssEncode : string -> string
Public Shared Function CssEncode (input As String) As String
Parameters
- input
- String
The string to encode.
Returns
The encoded string.
Remarks
This method encodes all characters except those that are in the safe list.
Note
Put quotation marks (" ") around the resulting string before you add it to a cascading style sheet.
The following table lists the default safe characters. All are from the Unicode C0 Controls and Basic Latin character range.
Character type | Description |
---|---|
A-Z | Uppercase alphabetic characters |
a-z | Lowercase alphabetic characters |
0-9 | Numbers |
The following table lists examples of inputs and the corresponding encoded outputs.
Input | Output |
---|---|
alert('XSS Attack!'); |
alert\000028\000027XSS\000020Attack\000021\000027\000029\00003B |
user@contoso.com |
user\000040contoso\00002Ecom |
Anti-Cross Site Scripting Namespace |
Anti\00002DCross\000020Site\000020Scripting\000020Namespace |
The CSS character escape sequence consists of a backslash character (\) followed by up to six hexadecimal digits that represent a character code from the ISO 10646 standard. (The ISO 10646 standard is effectively equivalent to Unicode.) Any character other than a hexadecimal digit terminates the escape sequence. If a character that follows the escape sequence is also a valid hexadecimal digit, it must either include six digits in the escape sequence or use a white-space character to terminate the escape sequence. For example, \000020
denotes a space.