What characters must be escaped in XML documents, or where could I find such a list?
If you use an appropriate class or library, they will do the escaping for you. Many XML issues are caused by string concatenation.
XML escape characters
There are only five:
" "
' '
< <
> >
& &
Escaping characters depends on where the special character is used.
The examples can be validated at the W3C Markup Validation Service.
Text
The safe way is to escape all five characters in text. However, the three characters ", ' and > needn't be escaped in text:
<?xml version="1.0"?>
<valid>"'></valid>
Attributes
The safe way is to escape all five characters in attributes. However, the > character needn't be escaped in attributes:
<?xml version="1.0"?>
<valid attribute=">"/>
The ' character needn't be escaped in attributes if the quotes are ":
<?xml version="1.0"?>
<valid attribute="'"/>
Likewise, the " needn't be escaped in attributes if the quotes are ':
<?xml version="1.0"?>
<valid attribute='"'/>
Comments
All five special characters must not be escaped in comments:
<?xml version="1.0"?>
<valid>
<!-- "'<>& -->
</valid>
CDATA
All five special characters must not be escaped in CDATA sections:
<?xml version="1.0"?>
<valid>
<![CDATA["'<>&]]>
</valid>
Processing instructions
All five special characters must not be escaped in XML processing instructions:
<?xml version="1.0"?>
<?process <"'&> ?>
<valid/>
XML vs. HTML
HTML has its own set of escape codes which cover a lot more characters.
Perhaps this will help:
List of XML and HTML character entity references:
In SGML, HTML and XML documents, the
logical constructs known as character
data and attribute values consist of
sequences of characters, in which each
character can manifest directly
(representing itself), or can be
represented by a series of characters
called a character reference, of which
there are two types: a numeric
character reference and a character
entity reference. This article lists
the character entity references that
are valid in HTML and XML documents.
That article lists the following five predefined XML entities:
quot "
amp &
apos '
lt <
gt >
According to the specifications of the World Wide Web Consortium (w3C), there are 5 characters that must not appear in their literal form in an XML document, except when used as markup delimiters or within a comment, a processing instruction, or a CDATA section. In all the other cases, these characters must be replaced either using the corresponding entity or the numeric reference according to the following table:
Original CharacterXML entity replacementXML numeric replacement
< < <
> > >
" " "
& & &
' ' '
Notice that the aforementioned entities can be used also in HTML, with the exception of ', that was introduced with XHTML 1.0 and is not declared in HTML 4. For this reason, and to ensure retro-compatibility, the XHTML specification recommends the use of ' instead.
New, simplified answer to an old, commonly asked question...
Simplified XML Escaping (prioritized, 100% complete)
Always (90% important to remember)
Escape < as < unless < is starting a <tag/> or other markup.
Escape & as & unless & is starting an &entity;.
Attribute Values (9% important to remember)
attr=" 'Single quotes' are ok within double quotes."
attr=' "Double quotes" are ok within single quotes.'
Escape " as " and ' as ' otherwise.
Comments, CDATA, and Processing Instructions (0.9% important to remember)
<!-- Within comments --> nothing has to be escaped but no -- strings are allowed.
<![CDATA[ Within CDATA ]]> nothing has to be escaped, but no ]]> strings are allowed.
<?PITarget Within PIs ?> nothing has to be escaped, but no ?> strings are allowed.
Esoterica (0.1% important to remember)
Escape control codes in XML 1.1 via Base64 or Numeric Character References.
Escape ]]> as ]]> unless ]]> is ending a CDATA section. (This rule applies to character data in general – even outside a CDATA section.)
Escaping characters is different for tags and attributes.
For tags:
< <
> > (only for compatibility, read below)
& &
For attributes:
" "
' '
From Character Data and Markup:
The ampersand character (&) and the left angle bracket (<) must not
appear in their literal form, except when used as markup delimiters,
or within a comment, a processing instruction, or a CDATA section. If
they are needed elsewhere, they must be escaped using either numeric
character references or the strings " & " and " < "
respectively. The right angle bracket (>) may be represented using the
string " > ", and must, for compatibility, be escaped using either
" > " or a character reference when it appears in the string " ]]>
" in content, when that string is not marking the end of a CDATA
section.
To allow attribute values to contain both single and double quotes,
the apostrophe or single-quote character (') may be represented as "
' ", and the double-quote character (") as " " ".
In addition to the commonly known five characters [<, >, &, ", and '], I would also escape the vertical tab character (0x0B). It is valid UTF-8, but not valid XML 1.0, and even many libraries (including the highly portable (ANSI C) library libxml2) miss it and silently output invalid XML.
Abridged from: XML, Escaping
There are five predefined entities:
< represents "<"
> represents ">"
& represents "&"
' represents '
" represents "
"All permitted Unicode characters may be represented with a numeric character reference." For example:
中
Most of the control characters and other Unicode ranges are specifically excluded, meaning (I think) they can't occur either escaped or direct:
Valid characters in XML
The accepted answer is not correct. Best is to use a library for escaping xml.
As mentioned in this other question
"Basically, the control characters and characters out of the Unicode ranges are not allowed. This means also that calling for example the character entity is forbidden."
If you only escape the five characters. You can have problems like An invalid XML character (Unicode: 0xc) was found
It depends on the context. For the content, it is < and &, and ]]> (though a string of three instead of one character).
For attribute values, it is <, &, ", and '.
For CDATA, it is ]]>.
Only < and & are required to be escaped if they are to be treated character data and not markup:
2.4 Character Data and Markup
For example, in Unix, a backslash (\) is a common escape character. So to escape a full stop (.) in a regular expression, one does this:
\.
But with % encoding URL parameters, we have an escape character, %, and a control code, so an ampersand (&) doesn't become:
%&
Instead, it becomes:
%26
Any reason why? Seems to just make things more complicated, on the face of it, when we could just have one escape character and a mechanism to escape itself where necessary:
%%
Then it'd be:
simpler to remember; we just need to know which characters to escape, not which to escape and what to escape them to
encoding-agnostic, as we wouldn't be sending an ASCII or Unicode representation explicitly, we'd just be sending them in the encoding the rest of the URL is going in
easy to write an encoder: s/[!\*'();:#&=+$,/?#\[\] "%-\.<>\\^_`{|}~]/%&/g (untested!)
better because we could switch to using \ as an escape character, and life would be simpler and it'd be summer all year long
I might be getting carried away now. Someone shoot me down? :)
EDIT: replaced two uses of "delimiter" with "escape character".
Percent encoding happens not only to escape delimiters, but also so that you can transport bytes that are not allowed inside URIs (such as control characters or non-ASCII characters).
I guess it's because the URL Specification and specifically the HTTP part of it, only allow certain characters so to escape those one must replace them with characters that are allowed.
Also some allowed characters have special meanings like & and ? etc
so replacing them with a control code seems the only way to solve it
If you find it hard to recognize them, bookmark this page
http://www.w3schools.com/tags/ref_urlencode.asp
I have a AppSetting in web.config.
<add key="key" value="\n|\r"/>
When i read it by ConfigurationManager.AppSettings["key"] it gives "\\n|\\r".
Why ?
In the debugger, becuase the backslash is a special character used for things like tabs (\t) and line endings (\n), it has to be escaped by the use of another backslash. Hence any text that contains an actual \ will be displayed as \. If you print it out to a file or use it in any other way, you will find your string only contains the one .
This isn't ConfigurationManager doing anything.
The backslash escaping syntax is only recognized inside of string literals by the C# compiler. Since your string is being read from an XML file at runtime, you need to use XML-compatible escaping (character entities) in order include those characters in your string. Thus, your app settings entry should look like the following:
<add key="key" value="&x10;|&x13;"/>
Because 10 and 13 are the hex values for linefeed and carriage return, respectively.
Like cjk said, the extra slash is being inserted by the debugger to indicate that it is seeing a literal slash and not an escape sequence.
I solved the same problem with a string replacement.
Not beautful.. but works!
ConfigurationManager.AppSettings["Key"].Replace("\\n", "\n")
string str = "\n";// means \n
string str1 = #"\n";// means \\n
From the AppSettings, It seems that when you extract the key's value, # is internally wrapped.. It is done by the compiler not runtime.
I created the register form in asp.net. And I want to validate Name. This is not included special characters especially '#' character. I used a regular expression validator. I wrote in ValidationExpression that is ^[A-Za-z0-9.'-_\s]+$. It is OK special characters exact '#' character. How to correct regexp. Please help me.
'-_ means every character between ' and _, which includes a large number of characters.
You should escape the - by writing \-.
So, I basically would like to test to see if a string contains a range of alphanumeric characters. It's to be used as a client-side validation and I don't want to prevent users from entering whatever they want. Best to give examples of what should/should not pass validation:
So to be specific, the expression I'm looking for is to test to make sure string contains anywhere from 3 to 10 alphanumeric characters. I'd like to plug into an ASP.NET client side validator.
NOTE: quotes not part of input (but could be!)
" f o o " should pass since there are 3 chars
"f_0_0" should pass
" fo " should not
"F......o......o......b.....a......r" should pass
thx
^([^a-zA-Z0-9]*[a-zA-Z0-9][^a-zA-Z0-9]*){3,10}$
Allows for exactly 3-10 alphanumeric characters, each surrounded by an arbitrary number of non-alphanumeric characters.
(Untested, but it should conform to the JScript subset of the standard .net Regex syntax, as required by the RegularExpressionValidator. Unfortunately, the shorthands \w and \W cannot be used since they include the underscore as an alphanumeric character.)
I'm not familiar with ASP.NET client-side validators, so I'm not sure if you need to do this in a regex, but potentially an easy solution is as follows:
Remove all non-alphanumeric characters (regex replace [^0-9A-Za-z] with nothing).
Check if string length is 3 or greater.