Derick has already mentioned that Jade added new feature for unescape HTML encoding in update, but I’d like to add some addendum for someone who might not recognize. – var html = “<script></script>” | !{html} <– Escaped | #{html} <– Encoded from https://github.com/visionmedia/jade
The two options are almost exactly the same. Here are your two choices: <html>This is <b>bold</b></html> <html><![CDATA[This is <b>bold</b>]]></html> In both cases, you have to check your string for special characters to be escaped. Lots of people pretend that CDATA strings don’t need any escaping, but as you point out, you have to make sure …
It looks like ActionLink always uses calls HttpUtility.Encode on the link text. You could use UrlHelper to generate the href and build the anchor tag yourself. <a href=”https://stackoverflow.com/questions/422929/@Url.Action(“Posts”, …)”>More…</a> Alternatively you can “decode” the string you pass to ActionLink. Constructing the link in HTML seems to be slightly more readable (to me) – especially in …
Use HttpUtility.HtmlEncode then do the replace. @Html.Raw(HttpUtility.HtmlEncode(Message).Replace(“\n”, “<br/>”))
I recommend using System.Net.WebUtility.HtmlDecode and NOT HttpUtility.HtmlDecode. This is due to the fact that the System.Web reference does not exist in Winforms/WPF/Console applications and you can get the exact same result using this class (which is already added as a reference in all those projects). Usage: string s = System.Net.WebUtility.HtmlDecode(“é”); // Returns é
Developers who need to use System.Web.HttpUtility in their client apps and had to reference System.Web.dll and therefore target NET4 full (System.Web.dll is in Full) , can now target the NET4 Client Profile by using the new System.Net.WebUtility class which is in System.dll (System.dll is in NET4 Client Profile). System.Net.WebUtility includes HtmlEncode and HtmlDecode. Url encoding …
I don’t have an answer specifically to your question, but I would like to point out that the white list vs black list approach not just “nice”. It’s important. Very important. When it comes to security, every little thing is important. Remember that with cross-site scripting and cross-site request forgery , even if your site …
If you use htmlentities() to encode, you can use html_entity_decode() to reverse the process: html_entity_decode() Convert all HTML entities to their applicable characters. html_entity_decode() is the opposite of htmlentities() in that it converts all HTML entities in the string to their applicable characters. e.g. $myCaption = ‘áéí’; //encode $myCaptionEncoded = htmlentities($myCaption, ENT_QUOTES); //reverse (decode) $myCaptionDecoded …
Either decode them using html_entity_decode or remove them using preg_replace: $Content = preg_replace(“/&#?[a-z0-9]+;/i”,””,$Content); (From here) EDIT: Alternative according to Jacco’s comment might be nice to replace the ‘+’ with {2,8} or something. This will limit the chance of replacing entire sentences when an unencoded ‘&’ is present. $Content = preg_replace(“/&#?[a-z0-9]{2,8};/i”,””,$Content);