Html attributes, single quote and HtmlAttributeEncode

September 11, 2007

When you develop your own custom controls do not forget that HtmlAttributeEncode method DOES NOT encode single quote.

MSDN says:

The string result from the HtmlAttributeEncode method should be used only for double-quoted attributes. Security issues might arise when using the HtmlAttributeEncode method with single-quoted attributes.

So you should use double quotes

Entry Filed under: .net, asp.net, tip. .

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post | Subscribe to the comments via RSS Feed

Calendar

September 2007
M	T	W	T	F	S	S
« Aug		Oct »
	1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

Most Recent Posts

osCommerce 2.2 RC2 Windows (Win32) and mail 501 5.5.4 Invalid Address
Crystal Reports for Visual Studio 2003 and text cut/truncation in fields
App_Data, App_Code and other App_* folder protection magic
CentOS 5, PHP, GD2 library
Internet Explorer (IE) ignores white-space: nowrap on table's TD
Code Coverage with TestDriven.Net in Visual Studio 2003
Html attributes, single quote and HtmlAttributeEncode
New Lightweight Dependency Injection Framework for .NET - Ninject
Little-known C# 2.0 operator - ??
Links For Continuous Learners

Gramotei’s Weblog