Escape XML string characters in C#
posted on Thursday, July 12, 2007 by bobby @ 1:57 pm
I searched long and hard (that's what she said!) for a native .NET method for escaping special characters in text and didn't get very far. Sure, there's only like 5 special characters, and 5 Replace() calls would probably do the trick, but I'm sure there's got to be something built-in.

To much relief, I've discovered a native method, hidden away in the bowels of the SecurityElement class. Yes, that's right - SecurityElement.Escape(string s) will escape your string and make it XML safe.

Safety first.

Learn yourself here:
http://msdn2.microsoft.com/en-us/library/system.security.securityelement.escape(VS.80).aspx
permalink | digg | del.icio.us
CommentsComments
posted on Thursday, July 12, 2007  by Scott Muc @ 9:32 PM

Handy link... I've been able to get around the problem by using the XmlTextWriter class which does the escaping for me. Probably using the class you mentioned.
posted on Monday, July 16, 2007  by ee.devfuel.com @ 7:25 PM

Heh. I posted (see website link) on this a bit ago after a similar revelation. Its funny sometimes how hidden the simple stuff seems until i suddenly "find it".
posted on Friday, August 17, 2007  by mel @ 1:19 PM

Nice find!
posted on Monday, August 20, 2007  by Robert @ 3:09 PM

What would be the opposite of this class? I would like to have the XmlTextWriter actually write characters such as '<' and '>' or   Is there a way to tell the XmlTextWriter to allow for these characters when writing an XML file?
posted on Friday, December 28, 2007  by Manthan @ 3:23 PM

What about while reading escape characters from XML file. I have a string which has "&" in it and it stored in an XML file. But when i try to read it I am getting error. Is there a way to avoid it?
posted on Sunday, December 30, 2007  by Lonely ClickBank Affiliate @ 2:22 PM

Thank you. Nice find. It did save me some time!
posted on Tuesday, February 12, 2008  by Daniel Williams @ 4:10 PM

Wow, this is such a useful method that I too am surprised that it does not exist in the XML namespace.
posted on Wednesday, February 20, 2008  by David Ringley @ 6:44 AM

Thanks, saved me loads of work!
posted on Tuesday, February 26, 2008  by Anonymous @ 3:26 PM

Doesn't escape everything... What about '#'?
posted on Monday, March 03, 2008  by Tyler @ 10:12 PM

Thanks for the great find. Now I'm using 3.5 Framework, so I just put it into an extension method like this:

Copy code to clipboard in IE or select code for Firefox
using System;
using System.Security;
namespace MyExtensions
{
  public static class AtraxExtensions
  {
    public static string ToXmlString(this string s)
    {
      return SecurityElement.Escape(s);
    }
  }
}
posted on Monday, March 10, 2008  by Jaweed Sarfraz @ 4:59 AM

System.XML;

XmlConvert.EncodeName(sting s)

for encoding names

http://msdn2.microsoft.com/en-us/library/35577sxd(VS.80).aspx
posted on Wednesday, March 26, 2008  by frinkfree @ 5:04 PM

Thanks Tyler for the inspiration of extension methods. I took it overboard to write my own naive, brute-force escape/unescape of xml string data:
Copy code to clipboard in IE or select code for Firefox
namespace Company.ExtensionMethods
{
  public static class StringExtensions
  {
    public static string EscapeXml( this string s )
    {
      string xml = s;
      if ( !string.IsNullOrEmpty( xml ) )
      {
        // replace literal values with entities
        xml = xml.Replace( "&", "&amp;" );
        xml = xml.Replace( "&lt;", "&lt;" );
        xml = xml.Replace( "&gt;", "&gt;" );
        xml = xml.Replace( "\"", "&quot;" );
        xml = xml.Replace( "'", "&apos;" );
      }
      return xml;
    }

    public static string UnescapeXml( this string s )
    {
      string unxml = s;
      if ( !string.IsNullOrEmpty( unxml ) )
      {
        // replace entities with literal values
        unxml = unxml.Replace( "&apos;", "'" );
        unxml = unxml.Replace( "&quot;", "\"" );
        unxml = unxml.Replace( "&gt;", "&gt;" );
        unxml = unxml.Replace( "&lt;", "&lt;" );
        unxml = unxml.Replace( "&amp;", "&" );
      }
      return unxml;
    }
  }
}

Now I can take shortcuts like
string xmlData = "<oh & no>".EscapeXml( );
so that xmlData ends up with "&lt;oh &amp; no&gt;".
posted on Friday, March 28, 2008  by bobby @ 8:16 AM

Nice - extensions methods are teh r0x0r. I did the same thing w/ String.Format. Now it's

"blah blah {0} blah".Fmt(data);
posted on Tuesday, April 08, 2008  by djmicu @ 11:39 AM

thanks so much frinkfree - i used just part of that code and it's working beautifully. I'm not a c# programmer, so this is great. thanks again!
posted on Sunday, April 27, 2008  by sohbet @ 1:03 PM

Nice - extensions methods are teh r0x0r. I did the same thing w/ String.Format. Now it's
posted on Tuesday, May 06, 2008  by Sukant @ 10:57 PM

Hi,

The above link has solved the problems to build xml file.
posted on Wednesday, May 07, 2008  by Anonymous @ 1:32 PM

Thanks for sharing. Helped me a solve the problem at hand.
posted on Wednesday, May 14, 2008  by wojciech @ 8:30 AM

yes! safety first
:D

was googling for that, thanks
posted on Monday, June 16, 2008  by Clintp @ 11:55 AM

Beware of XmlConvert.EncodeName() ! It doesn't do what you think it does.

It encodes XML *names* not entity data. So "1235" gets encoded as "_x0031_235" or somesuch nonsense.
posted on Friday, June 20, 2008  by Pradeep @ 1:53 AM

pls help me in the following:

string txt = "dt '0'"; //note that there are 2 Quotes before and after the 0

string SQL = "Insert into Tabl(no, Qry) values('1','" + txt + "');";

// when i tried to execute the above SQL statement it Displayed an Error
// saying that incorrect syntax,.. due to the Quote before and after the 0,.
// but i want to save the txt into the Column along with the Quote,.
//what should i Do ??


Pls help me
posted on Monday, September 22, 2008  by pavigeant @ 7:07 AM

In answer to Pradeep,

Never build a SQL query using string concatenation. Use Parameters. If you use SQL Server, use a SqlParameter.

When using string and XML data in SQL Server, you don't have to escape anything if your use parameters


SqlCommand command = new SqlCommand("Insert into Tabl(no, Qry) values(@No, @Qry);", yourConnectionObjectGoesHere);
command.Parameters.AddWithValue("@No", 1);
command.Parameters.AddWithValue("@Qry", txt);
command.ExecuteNonQuery();
posted on Monday, September 22, 2008  by Tatil @ 7:21 AM

Thanks for sharing. Helped me a solve the problem at hand.
posted on Thursday, December 11, 2008  by John F Kidd @ 4:40 AM

It doesn't escape { } characters
posted on Friday, January 23, 2009  by Anonymous @ 11:10 PM

I am using the following statement in my code:

XMLTextWriter.WriteAttributeString("url","https:\\one.com\first.ol&new=1");

Now in the resulting XML file, the url attribute has & amp; instead of the & character in the url which makes the url invalid.

< Attribute url="https:\\one.com\first.ol& amp;new=1" />

how do i avoid this default behaviur of XMLTextWriter class. Thanks in advance
posted on Tuesday, March 03, 2009  by Anonymous @ 6:38 AM

Thanks!
I remembered that there is a native method like this, but couldn't find it.
posted on Sunday, May 10, 2009  by James @ 3:17 AM

I love you! Thanks very much, very useful - first programmer I've heard of with a sense of humour too!
posted on Tuesday, May 12, 2009  by Keith @ 7:53 PM

You sir, are a god. I give you my thanks :)
posted on Wednesday, May 27, 2009  by ??? @ 5:52 AM

I love you!
posted on Monday, June 15, 2009  by ??? @ 2:01 AM

thanks
posted on Wednesday, July 01, 2009  by Anonymous @ 9:04 PM

You can also use Regex.Escape() or Regex.UnEscape()
posted on Wednesday, December 16, 2009  by Anonymous @ 8:43 AM

If anyone needs to use frinkfree's wonderfully simple escape/unescape method, make sure you fix the greater-than and less-than characters.

I'm pretty sure the message board escaped them when he posted the method to the board. How oddly ironic.
posted on Monday, January 04, 2010  by dave @ 7:26 AM

Genius. Irony at its best.
posted on Tuesday, January 12, 2010  by rules to play casino craps @ 3:28 AM

The thing is, that I personally like my variables aligned, i.e. their names beginning at the same column. For this I use Tabs. So, it would be nice, if your Add-In was capable of parsing field definitions correctly despite that Tabs, and not Spaces, is used as white-characters.
posted on Sunday, February 21, 2010  by Shaik @ 9:28 PM

Nice found. No need to go for custom string.Replace or some other implementation. Really reduced work. Keep coming with new things.
posted on Friday, March 05, 2010  by Leon @ 6:16 AM

for those that don;t have reflector, her is the code for SecurityElement.Escape

s_tagIllegalCharacters = new char[] { ' ', '<', '>' };
s_textIllegalCharacters = new char[] { '<', '>' };
s_valueIllegalCharacters = new char[] { '<', '>', '"' };
s_escapeStringPairs = new string[] { "<", "<", ">", ">", "\"", """, "'", "'", "&", "&" };
s_escapeChars = new char[] { '<', '>', '"', '\'', '&' };


public static string Escape(string str)
{
if (str == null)
{
return null;
}
StringBuilder builder = null;
int length = str.Length;
int startIndex = 0;
while (true)
{
int num2 = str.IndexOfAny(s_escapeChars, startIndex);
if (num2 == -1)
{
if (builder == null)
{
return str;
}
builder.Append(str, startIndex, length - startIndex);
return builder.ToString();
}
if (builder == null)
{
builder = new StringBuilder();
}
builder.Append(str, startIndex, num2 - startIndex);
builder.Append(GetEscapeSequence(str[num2]));
startIndex = num2 + 1;
}
}


New Post Notification

Search Posts

Recent Posts


About Meeself
People call me Bobby DeRosa
I live somewhere in San Diego, CA
MCSD, MCAD, MCP

This theme was adapted from fUnique by fahlstad        Icons by FamFamFam        XHTML 1.0 Strict; tuned for Mozilla-powered browsers

Admin Login Administrator Login
Invalid login attempts are logged.
  Username:
  Password: