Try it yourself with our free Html Entity Encoder tool — runs entirely in your browser, no signup needed.

How to HTML encode in C#

How to HTML Encode in C#

HTML encoding is the process of converting special characters in a string to their corresponding HTML entities, ensuring that the string can be safely displayed in an HTML document without causing any parsing errors. In C#, HTML encoding is crucial when working with user-input data, as it prevents cross-site scripting (XSS) attacks and ensures that your application remains secure.

Quick Example

using System.Web;

public class HtmlEncoder
{
    public static string HtmlEncode(string input)
    {
        if (input == null) return string.Empty;
        return HttpUtility.HtmlEncode(input);
    }
}

// Usage:
string userInput = "<script>alert('XSS')</script>";
string encodedInput = HtmlEncoder.HtmlEncode(userInput);
Console.WriteLine(encodedInput); // Output: &lt;script&gt;alert(&#x27;XSS&#x27;)&lt;/script&gt;

This code uses the HttpUtility.HtmlEncode method to encode the input string, replacing special characters with their corresponding HTML entities.

Step-by-Step Breakdown

Let's walk through the code line by line:

  • using System.Web;: This line imports the System.Web namespace, which contains the HttpUtility class used for HTML encoding.
  • public class HtmlEncoder: This line defines a new class called HtmlEncoder, which will contain the HtmlEncode method.
  • public static string HtmlEncode(string input): This line defines the HtmlEncode method, which takes a string input and returns the encoded string.
  • if (input == null) return string.Empty;: This line checks if the input is null, and if so, returns an empty string. This is a defensive programming technique to prevent null reference exceptions.
  • return HttpUtility.HtmlEncode(input);: This line uses the HttpUtility.HtmlEncode method to encode the input string and returns the result.

Handling Edge Cases

Empty/Null Input

As shown in the previous example, we handle null input by returning an empty string.

string input = null;
string encodedInput = HtmlEncoder.HtmlEncode(input);
Console.WriteLine(encodedInput); // Output: ""

Invalid Input

HttpUtility.HtmlEncode will throw an ArgumentNullException if the input is null. We've already handled this case by returning an empty string.

try
{
    string input = null;
    string encodedInput = HttpUtility.HtmlEncode(input);
}
catch (ArgumentNullException ex)
{
    Console.WriteLine(ex.Message);
}

Large Input

HttpUtility.HtmlEncode can handle large input strings without any issues. However, if you're working with extremely large strings, you may want to consider using a streaming approach to avoid memory issues.

string largeInput = new string('a', 1000000);
string encodedInput = HtmlEncoder.HtmlEncode(largeInput);

Unicode/Special Characters

HttpUtility.HtmlEncode correctly handles Unicode characters and special characters.

string input = "Hello, Sérgio!";
string encodedInput = HtmlEncoder.HtmlEncode(input);
Console.WriteLine(encodedInput); // Output: Hello, S&#233;rgio!

Common Mistakes

Mistake 1: Not Handling Null Input

// WRONG
public static string HtmlEncode(string input)
{
    return HttpUtility.HtmlEncode(input);
}

// CORRECT
public static string HtmlEncode(string input)
{
    if (input == null) return string.Empty;
    return HttpUtility.HtmlEncode(input);
}

Mistake 2: Using the Wrong Encoding Method

// WRONG
public static string HtmlEncode(string input)
{
    return input.Replace("<", "&lt;").Replace(">", "&gt;");
}

// CORRECT
public static string HtmlEncode(string input)
{
    return HttpUtility.HtmlEncode(input);
}

Mistake 3: Not Using the System.Web Namespace

// WRONG
public class HtmlEncoder
{
    public static string HtmlEncode(string input)
    {
        return HttpUtility.HtmlEncode(input);
    }
}

// CORRECT
using System.Web;

public class HtmlEncoder
{
    public static string HtmlEncode(string input)
    {
        return HttpUtility.HtmlEncode(input);
    }
}

Performance Tips

  1. Use HttpUtility.HtmlEncode instead of manual replacement: HttpUtility.HtmlEncode is optimized for performance and handles all special characters correctly.
  2. Avoid unnecessary encoding: Only encode strings that will be displayed in an HTML document.
  3. Use caching: If you're encoding the same strings repeatedly, consider caching the results to improve performance.

FAQ

Q: What is HTML encoding?

A: HTML encoding is the process of converting special characters in a string to their corresponding HTML entities.

Q: Why is HTML encoding important?

A: HTML encoding prevents cross-site scripting (XSS) attacks and ensures that your application remains secure.

Q: What is the difference between HttpUtility.HtmlEncode and HttpUtility.UrlEncode?

A: HttpUtility.HtmlEncode is used for encoding HTML, while HttpUtility.UrlEncode is used for encoding URLs.

Q: Can I use HttpUtility.HtmlEncode for encoding JSON data?

A: No, HttpUtility.HtmlEncode is specifically designed for HTML encoding and should not be used for encoding JSON data.

Q: How do I install the System.Web namespace?

A: You can install the System.Web namespace by running the following command in the NuGet Package Manager Console: Install-Package System.Web

Related Resources

Html Entity Encoder

Use the interactive html entity encoder tool

More Html Entity Encoder Examples

See all languages and use cases

All Code Examples

Browse examples for every language and use case

All Developer Tools

50+ free online developer tools

AI agent tools available. The CodeTidy MCP Server gives Claude, Cursor, and other AI agents access to 60+ developer tools. One command: npx @codetidy/mcp